Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,900
Quick preset (or use dates below)
Clear Filters
Showing 12,401 - 12,420 of 14,675 CVEs
CVE-2026-1895 MEDIUM - 6.3

A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address ...

Vendor: wekan_project
Product: wekan
Published: Feb 04, 2026
Source: NVD
CVE-2026-1894 MEDIUM - 6.3

A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack ...

Vendor: wekan_project
Product: wekan
Published: Feb 04, 2026
Source: NVD
CVE-2023-43636 MEDIUM - 6.7

In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed. This incl...

Vendor: go
Product: github.com/lf-edge/eve/pkg/grub
Published: Feb 04, 2026
Source: GitHub
CVE-2023-43635 MEDIUM - 6.7

Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key fro...

Vendor: go
Product: github.com/lf-edge/eve
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25540 MEDIUM - 6.5

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that d...

Vendor: mastodon
Product: mastodon
Published: Feb 04, 2026
Source: NVD
CVE-2026-1892 MEDIUM - 5.0

A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remot...

Vendor: wekan_project
Product: wekan
Published: Feb 04, 2026
Source: NVD
CVE-2026-1884 MEDIUM - 4.7

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made avai...

Vendor: zentao
Product: zentao
Published: Feb 04, 2026
Source: NVD
CVE-2024-51451 MEDIUM - 6.5

IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Vendor: IBM
Product: Concert
Published: Feb 04, 2026
Source: NVD
CVE-2024-43181 MEDIUM - 6.3

IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Vendor: IBM
Product: Concert
Published: Feb 04, 2026
Source: NVD
CVE-2024-40685 MEDIUM - 4.3

IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions.

Vendor: IBM
Product: Operations Analytics - Log Analysis
Published: Feb 04, 2026
Source: NVD
CVE-2023-43634 MEDIUM - 5.9

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. I...

Vendor: go
Product: github.com/lf-edge/eve
Published: Feb 04, 2026
Source: GitHub
CVE-2023-43633 MEDIUM - 5.9

On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. ...

Vendor: go
Product: github.com/lf-edge/eve
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25511 MEDIUM - 4.9

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSR...

Vendor: Intermesh
Product: groupoffice
Published: Feb 04, 2026
Source: NVD
CVE-2026-1554 MEDIUM - 4.2

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

Vendor: jtenman
Product: central_authentication_system_server
Published: Feb 04, 2026
Source: NVD
CVE-2026-1553 MEDIUM - 4.8

Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.

Vendor: drupal_canvas_project
Product: drupal_canvas
Published: Feb 04, 2026
Source: NVD
CVE-2026-0948 MEDIUM - 6.5

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.

Vendor: jaseerkinangattil
Product: microsoft_entra_id_sso_login
Published: Feb 04, 2026
Source: NVD
CVE-2026-0947 MEDIUM - 4.8

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.

Vendor: bordeaux-metropole
Product: at_internet_piano_analytics
Published: Feb 04, 2026
Source: NVD
CVE-2026-0946 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.

Vendor: bordeaux-metropole
Product: at_internet_smarttag
Published: Feb 04, 2026
Source: NVD
CVE-2026-0944 MEDIUM - 5.3

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.

Vendor: metadrop
Product: group_invite
Published: Feb 04, 2026
Source: NVD
CVE-2024-39724 MEDIUM - 5.3

IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service.

Vendor: IBM
Product: Db2 Big SQL on Cloud Pak for Data
Published: Feb 04, 2026
Source: NVD