Export limit exceeded: 335260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 335260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335260 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66630 | 2 Gofiber, Golang | 2 Fiber, Go | 2026-02-28 | 9.4 Critical |
| Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11. | ||||
| CVE-2026-25598 | 2 Step Security, Stepsecurity | 2 Harden Runner, Harden-runner | 2026-02-28 | 5.3 Medium |
| Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2. | ||||
| CVE-2026-25761 | 2 Super-linter, Super-linter Project | 2 Super-linter, Super-linter | 2026-02-28 | 8.8 High |
| Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1. | ||||
| CVE-2026-25878 | 1 Friendsofshopware | 2 Froshadminer, Froshplatformadminer | 2026-02-28 | 5.3 Medium |
| FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1. | ||||
| CVE-2026-25808 | 2 Fedify, Fedify-dev | 2 Hollo, Hollo | 2026-02-28 | 7.5 High |
| Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2. | ||||
| CVE-2026-25918 | 1 Rageagainstthepixel | 1 Unity-cli | 2026-02-28 | 5.5 Medium |
| unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2. | ||||
| CVE-2026-25925 | 1 Modery | 1 Powerdocu | 2026-02-28 | 7.8 High |
| PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to instantiate arbitrary .NET objects and execute code. This vulnerability is fixed in 2.4.0. | ||||
| CVE-2025-11142 | 2 Axis, Axis Communications Ab | 2 Axis Os, Axis Os | 2026-02-28 | 7.1 High |
| The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. | ||||
| CVE-2026-26338 | 1 Hyland | 3 Alfresco Community, Alfresco Transformation Service, Transform Core Aio | 2026-02-28 | 6.5 Medium |
| Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality. | ||||
| CVE-2026-26339 | 1 Hyland | 3 Alfresco Community, Alfresco Transformation Service, Transform Core Aio | 2026-02-28 | 9.8 Critical |
| Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality. | ||||
| CVE-2025-13671 | 1 Opentext | 1 Web Site Management Server | 2026-02-27 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1. | ||||
| CVE-2025-13672 | 1 Opentext | 1 Web Site Management Server | 2026-02-27 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1. | ||||
| CVE-2025-8054 | 1 Opentext | 1 Xm Fax | 2026-02-27 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. This issue affects XM Fax: 24.2. | ||||
| CVE-2025-8055 | 1 Opentext | 1 Xm Fax | 2026-02-27 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2. | ||||
| CVE-2025-9208 | 1 Opentext | 1 Web Site Management Server | 2026-02-27 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data. This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1. | ||||
| CVE-2026-1292 | 1 Tanium | 2 Service Trends, Trends | 2026-02-27 | 6.5 Medium |
| Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. | ||||
| CVE-2026-2350 | 1 Tanium | 4 Interact, Service Interact, Service Tds and 1 more | 2026-02-27 | 6.5 Medium |
| Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS. | ||||
| CVE-2026-2647 | 2026-02-27 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2026-28517 | 2026-02-27 | N/A | ||
| openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process. | ||||
| CVE-2026-28516 | 2026-02-27 | N/A | ||
| openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database. | ||||