Total
330232 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14969 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jbosseapxp, Openshift Devspaces and 1 more | 2026-01-27 | 4.3 Medium |
| A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. | ||||
| CVE-2026-1190 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2026-01-27 | 3.1 Low |
| A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. | ||||
| CVE-2026-1485 | 1 Redhat | 1 Enterprise Linux | 2026-01-27 | 2.8 Low |
| A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | ||||
| CVE-2026-1443 | 1 Code-projects | 1 Online Music Site | 2026-01-27 | 7.3 High |
| A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-9522 | 1 Tp-link | 1 Omada Controller | 2026-01-27 | N/A |
| Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | ||||
| CVE-2026-23864 | 1 Facebook | 3 React-server-dom-parcel, React-server-dom-turbopack, React-server-dom-webpack | 2026-01-27 | 7.5 High |
| Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | ||||
| CVE-2025-14525 | 1 Redhat | 1 Container Native Virtualization | 2026-01-27 | 6.4 Medium |
| A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. | ||||
| CVE-2025-14756 | 1 Tp-link | 1 Archer Mr600 | 2026-01-27 | N/A |
| Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. | ||||
| CVE-2025-9820 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-01-27 | 4 Medium |
| A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. | ||||
| CVE-2025-9520 | 1 Tp-link | 1 Omada Controller | 2026-01-27 | N/A |
| An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | ||||
| CVE-2025-57783 | 1 Hiawatha | 1 Web Server | 2026-01-27 | 5.3 Medium |
| Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver. | ||||
| CVE-2026-1224 | 2026-01-27 | 4.9 Medium | ||
| Tanium addressed an uncontrolled resource consumption vulnerability in Discover. | ||||
| CVE-2025-57784 | 1 Hiawatha | 1 Web Server | 2026-01-27 | 4 Medium |
| Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. | ||||
| CVE-2026-0810 | 1 Redhat | 2 Enterprise Linux, Logging | 2026-01-27 | 6.8 Medium |
| A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. | ||||
| CVE-2026-24344 | 2026-01-27 | N/A | ||
| Multiple Buffer Overflows in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to cause a program crash and potential remote code execution | ||||
| CVE-2026-24348 | 2026-01-27 | N/A | ||
| Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | ||||
| CVE-2026-24479 | 1 Hustoj | 1 Hustoj | 2026-01-27 | N/A |
| HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue. | ||||
| CVE-2026-24490 | 1 Mobsf | 1 Mobile Security Framework | 2026-01-27 | 8.1 High |
| MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. | ||||
| CVE-2026-24826 | 2026-01-27 | N/A | ||
| Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects . | ||||
| CVE-2020-36953 | 1 Minitool | 1 Shadowmaker | 2026-01-27 | 7.8 High |
| MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges. | ||||