Total
330153 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67274 | 2026-01-27 | 7.5 High | ||
| An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints | ||||
| CVE-2025-57785 | 1 Hiawatha | 1 Web Server | 2026-01-27 | 6.5 Medium |
| A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. | ||||
| CVE-2025-70982 | 2026-01-27 | 9.9 Critical | ||
| Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | ||||
| CVE-2020-36959 | 1 Idt | 1 Idt Audio | 2026-01-27 | 7.8 High |
| IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup. | ||||
| CVE-2026-24830 | 2026-01-27 | 9.8 Critical | ||
| Integer Overflow or Wraparound vulnerability in Ralim IronOS.This issue affects IronOS: before v2.23-rc2. | ||||
| CVE-2025-11065 | 1 Redhat | 13 Acm, Advanced Cluster Security, Certifications and 10 more | 2026-01-27 | 5.3 Medium |
| A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. | ||||
| CVE-2025-11687 | 1 Gnome | 1 Gi-docgen | 2026-01-27 | 6.1 Medium |
| A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | ||||
| CVE-2025-14969 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jbosseapxp, Openshift Devspaces and 1 more | 2026-01-27 | 4.3 Medium |
| A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. | ||||
| CVE-2025-41727 | 2026-01-27 | 7.8 High | ||
| A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | ||||
| CVE-2020-36956 | 1 Igniterealtime | 1 Openfire | 2026-01-27 | 6.4 Medium |
| Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. | ||||
| CVE-2025-58944 | 2 Axiomthemes, Wordpress | 2 Manufactory, Wordpress | 2026-01-27 | 8.2 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4. | ||||
| CVE-2025-55423 | 1 Iptime | 41 A2003ns-mu, A2004mu, A2004ns-mu and 38 more | 2026-01-27 | 9.8 Critical |
| A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | ||||
| CVE-2026-24049 | 1 Pypa | 1 Wheel | 2026-01-27 | 7.1 High |
| wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. | ||||
| CVE-2023-29240 | 1 F5 | 1 Big-iq Centralized Management | 2026-01-27 | 5.4 Medium |
| An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-23419 | 3 Debian, F5, Redhat | 4 Debian Linux, Nginx, Nginx Plus and 1 more | 2026-01-27 | 4.3 Medium |
| When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-58153 | 1 F5 | 22 Big-ip, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 19 more | 2026-01-27 | 5.9 Medium |
| Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-54755 | 1 F5 | 22 Big-ip, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 19 more | 2026-01-27 | 4.9 Medium |
| A directory traversal vulnerability exists in TMUI that allows a highly privileged authenticated attacker to access files which are not limited to the intended files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-0696 | 1 Connectwise | 2 Professional Service Automation, Psa | 2026-01-27 | 6.5 Medium |
| In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | ||||
| CVE-2026-0695 | 1 Connectwise | 2 Professional Service Automation, Psa | 2026-01-27 | 8.7 High |
| In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. | ||||
| CVE-2025-13881 | 2026-01-27 | 2.7 Low | ||
| No description is available for this CVE. | ||||