Export limit exceeded: 16269 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (7678 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15541 | 1 Tp-link | 1 Vx800v | 2026-02-04 | N/A |
| Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. | ||||
| CVE-2025-15543 | 1 Tp-link | 1 Vx800v | 2026-02-04 | N/A |
| Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files. | ||||
| CVE-2026-25211 | 1 Llamastack | 1 Llama Stack | 2026-02-04 | 3.2 Low |
| Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. | ||||
| CVE-2026-1622 | 1 Neo4j | 2 Community Edition, Enterprise Edition | 2026-02-04 | 5.5 Medium |
| Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. | ||||
| CVE-2026-24472 | 1 Hono | 1 Hono | 2026-02-04 | 5.3 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | ||||
| CVE-2025-48780 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 9.8 Critical |
| A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object. | ||||
| CVE-2026-24954 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8. | ||||
| CVE-2025-40551 | 1 Solarwinds | 1 Web Help Desk | 2026-02-04 | 9.8 Critical |
| SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | ||||
| CVE-2025-40553 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | 9.8 Critical |
| SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | ||||
| CVE-2025-9521 | 1 Tp-link | 1 Omada Controller | 2026-02-03 | N/A |
| Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. | ||||
| CVE-2025-61505 | 1 E107 | 1 E107 | 2026-02-03 | 6.5 Medium |
| e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase. | ||||
| CVE-2025-30160 | 1 Redlib | 1 Redlib | 2026-02-03 | 7.5 High |
| Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0. | ||||
| CVE-2025-54723 | 1 Wordpress | 1 Wordpress | 2026-02-03 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3. | ||||
| CVE-2020-36968 | 1 Tildeslash | 2 M\/monit, Monit | 2026-02-03 | 6.5 Medium |
| M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. | ||||
| CVE-2025-68716 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | 8.4 High |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | ||||
| CVE-2025-68719 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | 8.8 High |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device. | ||||
| CVE-2025-33210 | 1 Nvidia | 1 Isaac Lab | 2026-02-02 | 9 Critical |
| NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | ||||
| CVE-2026-0519 | 1 Absolute | 1 Secure Access | 2026-02-02 | 3.4 Low |
| In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | ||||
| CVE-2026-22240 | 2 Bluspark Global, Blusparkglobal | 2 Bluvoyix, Bluvoyix | 2026-02-02 | 7.5 High |
| The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | ||||
| CVE-2025-6391 | 1 Brocade | 1 Ascg | 2026-02-02 | 9.8 Critical |
| Brocade ASCG before 3.3.0 logs JSON Web Tokens (JWT) in log files. An attacker with access to the log files can withdraw the unencrypted tokens with security implications, such as unauthorized access, session hijacking, and information disclosure. | ||||