Export limit exceeded: 357078 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (6763 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12735 | 3 Expr-eval Project, Jorenbroekema, Silentmatt | 3 Expr-eval, Javascript Expression Evaluator, Javascript Expression Evaluator | 2026-02-10 | 9.8 Critical |
| The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution. | ||||
| CVE-2025-61732 | 2 Golang, Gotoolchain | 2 Go, Cmd/go | 2026-02-10 | 8.6 High |
| A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||||
| CVE-2020-37137 | 1 Php-fusion | 2 Php-fusion, Phpfusion | 2026-02-09 | 6.1 Medium |
| PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. | ||||
| CVE-2025-57283 | 1 Browserstack | 1 Browserstack-local | 2026-02-09 | 7.8 High |
| The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | ||||
| CVE-2025-13984 | 2 Drupal, Kanopi | 2 Next.js, Next.js | 2026-02-06 | 6.1 Medium |
| Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | ||||
| CVE-2025-55462 | 1 Eramba | 1 Eramba | 2026-02-05 | 6.5 Medium |
| A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | ||||
| CVE-2025-36353 | 1 Ibm | 1 Db2 | 2026-02-05 | 6.2 Medium |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | ||||
| CVE-2025-36366 | 1 Ibm | 1 Db2 | 2026-02-05 | 6.5 Medium |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination. | ||||
| CVE-2025-36442 | 1 Ibm | 1 Db2 | 2026-02-05 | 6.5 Medium |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. | ||||
| CVE-2025-60785 | 2 Icescrum, Kagilum | 2 Icescrum, Icescrum | 2026-02-04 | 8.8 High |
| A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. | ||||
| CVE-2025-10875 | 1 Salesforce | 2 Mulesoft, Mulesoft Anypoint Code Builder | 2026-02-04 | 6.5 Medium |
| Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6. | ||||
| CVE-2025-64318 | 1 Salesforce | 2 Mulesoft, Mulesoft Anypoint Code Builder | 2026-02-04 | 5.3 Medium |
| Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1. | ||||
| CVE-2025-64320 | 1 Salesforce | 2 Agentforce Vibes, Agentforce Vibes Extension | 2026-02-04 | 6.5 Medium |
| Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0. | ||||
| CVE-2025-64321 | 1 Salesforce | 2 Agentforce Vibes, Agentforce Vibes Extension | 2026-02-04 | 5.3 Medium |
| Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0. | ||||
| CVE-2025-10370 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2026-02-03 | 3.5 Low |
| A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-69564 | 2 Code-projects, Fabian | 2 Mobile Shop Management System, Mobile Shop Management System | 2026-02-02 | 9.8 Critical |
| code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters. | ||||
| CVE-2018-17207 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | 9.8 Critical |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | ||||
| CVE-2024-42756 | 1 Netgear | 3 Dgn1000 Firmware, Dgn1000ww, Dgn1000ww Firmware | 2026-01-30 | 8.8 High |
| An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page | ||||
| CVE-2025-55423 | 1 Iptime | 326 A1, A1004, A1004 Firmware and 323 more | 2026-01-30 | 9.8 Critical |
| A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | ||||
| CVE-2025-13086 | 1 Openvpn | 1 Openvpn | 2026-01-30 | 7.5 High |
| Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | ||||