Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,868
Quick preset (or use dates below)
Clear Filters
Showing 12,321 - 12,340 of 14,217 CVEs
CVE-2025-69875 HIGH - 7.8

A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abu...

Published: Feb 03, 2026
Source: NVD
CVE-2025-69429 HIGH - 7.5

The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the ...

Published: Feb 03, 2026
Source: NVD
CVE-2025-66374 HIGH - 7.8

CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task.

Published: Feb 03, 2026
Source: NVD
CVE-2025-65875 HIGH - 8.8

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

Published: Feb 03, 2026
Source: NVD
CVE-2025-63372 HIGH - 7.5

Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents.

Published: Feb 03, 2026
Source: NVD
CVE-2025-60865 HIGH - 7.8

Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component.

Published: Feb 03, 2026
Source: NVD
CVE-2025-59439 HIGH - 7.5

An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions.

Vendor: samsung
Product: exynos_990_firmware
Published: Feb 03, 2026
Source: NVD
CVE-2020-37116 HIGH - 8.8

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise.

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD
CVE-2020-37113 HIGH - 8.8

GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intend...

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD
CVE-2020-37112 HIGH - 7.1

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database inform...

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD
CVE-2020-37110 HIGH - 8.2

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract o...

Vendor: Davidvg
Product: 60CycleCMS
Published: Feb 03, 2026
Source: NVD
CVE-2020-37108 HIGH - 7.1

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database inf...

Vendor: AllHandsMarketing
Product: PhpIX 2012 Professional
Published: Feb 03, 2026
Source: NVD
CVE-2020-37105 HIGH - 7.1

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download....

Vendor: redmine
Product: PMB
Published: Feb 03, 2026
Source: NVD

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerabil...

Vendor: composer
Product: facturascripts/facturascripts
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24884 HIGH - 8.4

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause s...

Vendor: npm
Product: compressing
Published: Feb 03, 2026
Source: GitHub

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allo...

Vendor: rustfs
Product: rustfs
Published: Feb 03, 2026
Source: NVD
CVE-2026-25027 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.7.1.

Vendor: ThemeMove
Product: Unicamp
Published: Feb 03, 2026
Source: NVD
CVE-2026-25022 HIGH - 8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.16.

Vendor: Iqonic Design
Product: KiviCare
Published: Feb 03, 2026
Source: NVD
CVE-2026-24954 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8.

Vendor: magepeopleteam
Product: WpEvently
Published: Feb 03, 2026
Source: NVD
CVE-2026-1285 HIGH - 7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-o...

Vendor: pip
Product: Django
Published: Feb 03, 2026
Source: NVD