Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,925
Quick preset (or use dates below)
Clear Filters
Showing 12,161 - 12,180 of 14,675 CVEs
CVE-2025-15315 MEDIUM - 6.7

Tanium addressed a local privilege escalation vulnerability in Tanium Module Server.

Vendor: Tanium
Product: Tanium Module Server
Published: Feb 09, 2026
Source: NVD

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. ...

Vendor: FriendsOfShopware
Product: FroshPlatformAdminer
Published: Feb 09, 2026
Source: NVD
CVE-2026-25806 MEDIUM - 6.5

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do no...

Vendor: Praskla-Technology
Product: assessment-placipy
Published: Feb 09, 2026
Source: NVD
CVE-2026-25765 MEDIUM - 5.8

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3...

Vendor: lostisland
Product: faraday
Published: Feb 09, 2026
Source: NVD
CVE-2026-25528 MEDIUM - 5.8

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the ...

Vendor: langchain-ai
Product: langsmith-sdk
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowi...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) ar...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass ...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-im...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD
CVE-2026-25230 MEDIUM - 4.6

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed...

Vendor: error311
Product: FileRise
Published: Feb 09, 2026
Source: NVD
CVE-2026-24900 MEDIUM - 6.5

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by ...

Vendor: MarkUsProject
Product: Markus
Published: Feb 09, 2026
Source: NVD
CVE-2025-14778 MEDIUM - 5.4

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the fi...

Vendor: Red Hat
Product: Red Hat build of Keycloak 26.2
Published: Feb 09, 2026
Source: NVD
CVE-2026-24777 MEDIUM - 6.7

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. ...

Vendor: opf
Product: openproject
Published: Feb 09, 2026
Source: NVD
CVE-2026-21419 MEDIUM - 6.6

Dell Display and Peripheral Manager (Windows) versions prior to 2.2 contain an Improper Link Resolution Before File Access ('Link Following') vulnerability in the Installer and Service. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Ele...

Vendor: Dell
Product: Display and Peripheral Manager (Windows)
Published: Feb 09, 2026
Source: NVD

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic...

Vendor: actions
Product: step-security/harden-runner
Published: Feb 09, 2026
Source: GitHub
CVE-2026-25480 MEDIUM - 6.5

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated rem...

Vendor: pip
Product: litestar
Published: Feb 09, 2026
Source: GitHub
CVE-2026-25479 MEDIUM - 6.5

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass ...

Vendor: pip
Product: litestar
Published: Feb 09, 2026
Source: GitHub
CVE-2026-24027 MEDIUM - 5.3

Crafted zones can lead to increased incoming network traffic.

Vendor: PowerDNS
Product: Recursor
Published: Feb 09, 2026
Source: NVD
CVE-2026-0398 MEDIUM - 5.3

Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.

Published: Feb 09, 2026
Source: NVD
CVE-2025-63354 MEDIUM - 4.6

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript.

Vendor: hitrontech
Product: hi3120_firmware
Published: Feb 09, 2026
Source: NVD