Total
12868 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12543 | 1 Redhat | 9 Apache Camel Hawtio, Camel Spring Boot, Enterprise Linux and 6 more | 2026-01-09 | 9.6 Critical |
| A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. | ||||
| CVE-2025-64991 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2025-64992 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2025-64993 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2026-21505 | 1 Internationalcolorconsortium | 1 Iccdev | 2026-01-08 | 5.5 Medium |
| iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2. | ||||
| CVE-2025-15453 | 1 Milvus | 1 Milvus | 2026-01-08 | 6.3 Medium |
| A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8. | ||||
| CVE-2025-52519 | 1 Samsung | 4 Exynos, Mobile, Mobile Processor Wearable Processor and 1 more | 2026-01-08 | 7.1 High |
| An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. | ||||
| CVE-2025-61916 | 1 Linuxfoundation | 1 Spinnaker | 2026-01-08 | 7.9 High |
| Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This also includes calling internal spinnaker API's via a get and similar endpoints. Further, depending upon the artifact in question, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a spinnaker installation MUST have two things. The first is an artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). The second is a system that can consume the output of these artifacts. e.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail. This vulnerability is fixed in versions 2025.1.6, 2025.2.3, and 2025.3.0. As a workaround, disable HTTP account types that allow user input of a given URL. This is probably not feasible in most cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading. Alternatively, use one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs. | ||||
| CVE-2025-66786 | 1 Openairinterface | 1 Cn5g Amf | 2026-01-08 | 7.5 High |
| OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. | ||||
| CVE-2025-59301 | 1 Deltaww | 2 Dvp15mc11t, Dvp15mc11t Firmware | 2026-01-08 | 4 Medium |
| Delta Electronics DVP15MC11TĀ lacks proper validation of the modbus/tcp packets and can lead to denial of service. | ||||
| CVE-2025-40325 | 1 Linux | 2 Kernel, Linux Kernel | 2026-01-08 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: md/raid10: wait barrier before returning discard request with REQ_NOWAIT raid10_handle_discard should wait barrier before returning a discard bio which has REQ_NOWAIT. And there is no need to print warning calltrace if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks dmesg and reports error if dmesg has warning/error calltrace. | ||||
| CVE-2025-62571 | 1 Microsoft | 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more | 2026-01-07 | 7.8 High |
| Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-65561 | 1 Free5gc | 2 Free5gc, Upf | 2026-01-07 | 7.5 High |
| An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request. | ||||
| CVE-2025-58173 | 1 Freshrss | 1 Freshrss | 2026-01-07 | 8.8 High |
| FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue. | ||||
| CVE-2025-8075 | 1 Hanwhavision | 512 Knb-2000, Knb-2000 Firmware, Knb-5000n and 509 more | 2026-01-07 | 6.1 Medium |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | ||||
| CVE-2025-52600 | 1 Hanwhavision | 512 Knb-2000, Knb-2000 Firmware, Knb-5000n and 509 more | 2026-01-07 | 9.8 Critical |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | ||||
| CVE-2025-12942 | 1 Netgear | 4 R6260, R6260 Firmware, R6850 and 1 more | 2026-01-07 | 7.5 High |
| Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86. | ||||
| CVE-2025-59207 | 1 Microsoft | 18 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 15 more | 2026-01-07 | 7.8 High |
| Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59228 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-01-07 | 8.8 High |
| Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-15358 | 2 Delta Electronics, Deltaww | 3 Dvp-12se11t, Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | 7.5 High |
| DVP-12SE11T - Denial of Service Vulnerability | ||||