Export limit exceeded: 41553 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (41553 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25889 | 1 Filebrowser | 1 Filebrowser | 2026-02-23 | 5.4 Medium |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1. | ||||
| CVE-2026-23829 | 1 Axllent | 1 Mailpit | 2026-02-23 | 5.3 Medium |
| Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. | ||||
| CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2026-02-23 | 9.8 Critical |
| csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | ||||
| CVE-2025-69806 | 1 P2r3 | 1 Bareiron | 2026-02-23 | 7.5 High |
| p2r3 bareiron commit: 8e4d4020d contains an Out-of-bounds Read, which allows unauthenticated remote attackers to get relative information leakage via a packet sent to the server | ||||
| CVE-2025-69807 | 1 P2r3 | 1 Bareiron | 2026-02-23 | 7.5 High |
| p2r3 Bareiron commit: 8e4d4020d is vulnerable to Buffer Overflow, which allows unauthenticated remote attackers to cause a denial of service via a packet sent to the server. | ||||
| CVE-2026-25996 | 2 Inspektor-gadget, Linuxfoundation | 2 Inspektor-gadget, Inspektor Gadget | 2026-02-23 | 9.8 Critical |
| Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively. | ||||
| CVE-2025-41742 | 1 Sprecher-automation | 6 Sprecon-e-c, Sprecon-e-c Firmware, Sprecon-e-p and 3 more | 2026-02-23 | 9.8 Critical |
| Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance. | ||||
| CVE-2025-41744 | 1 Sprecher-automation | 6 Sprecon-e-c, Sprecon-e-c Firmware, Sprecon-e-p and 3 more | 2026-02-23 | 9.1 Critical |
| Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity. | ||||
| CVE-2026-26011 | 2 Opennav, Ros-navigation | 2 Nav2, Navigation2 | 2026-02-23 | 9.8 Critical |
| navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometry_msgs/PoseWithCovarianceStamped message with extreme covariance values to the /initialpose topic, an unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write (set->clusters[-1]) into heap memory preceding the allocated buffer. In Release builds, the sole boundary check (assert) is compiled out, leaving zero runtime protection. This primitive allows controlled corruption of the heap chunk metadata(at least the size of the heap chunk where the set->clusters is in is controllable by the attacker), potentially leading to further exploitation. At minimum, it provides a reliable single-packet denial of service that kills localization and halts all navigation. | ||||
| CVE-2026-20846 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-02-23 | 7.5 High |
| Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-21261 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-02-23 | 5.5 Medium |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2026-21527 | 1 Microsoft | 8 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 5 more | 2026-02-23 | 6.5 Medium |
| User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-21218 | 3 Apple, Linux, Microsoft | 4 Macos, Linux Kernel, .net and 1 more | 2026-02-23 | 7.5 High |
| Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-21258 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-02-23 | 5.5 Medium |
| Improper input validation in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2026-25513 | 2 Facturascripts, Neorazorx | 2 Facturascripts, Facturascripts | 2026-02-23 | 8.8 High |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. | ||||
| CVE-2025-14547 | 1 Silabs | 2 Gecko Sdk, Simplicity Sdk | 2026-02-23 | N/A |
| An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service. | ||||
| CVE-2025-14055 | 1 Silabs | 1 Simplicity Sdk | 2026-02-23 | N/A |
| An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet. | ||||
| CVE-2026-22885 | 1 Enocean Edge | 1 Smartserver Iot | 2026-02-23 | 3.7 Low |
| A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. | ||||
| CVE-2026-2327 | 2 Markdown-it, Markdown-it Project | 2 Markdown-it, Markdown-it | 2026-02-23 | 5.3 Medium |
| Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition. | ||||
| CVE-2026-0663 | 2 M-files, M-files Corporation | 2 M-files Server, M-files Server | 2026-02-23 | 4.9 Medium |
| Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. | ||||