Export limit exceeded: 336927 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336927 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1699 | 1 Eclipse | 1 Theia | 2026-02-04 | 10 Critical |
| In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. | ||||
| CVE-2026-1665 | 1 Nvm-sh | 1 Nvm | 2026-02-04 | N/A |
| A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'. | ||||
| CVE-2025-9226 | 1 Zohocorp | 3 Manageengine Netflow Analyzer, Manageengine Opmanager, Manageengine Oputils | 2026-02-04 | 4.6 Medium |
| Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | ||||
| CVE-2025-7964 | 1 Silabs | 1 Zigbee Stack | 2026-02-04 | N/A |
| After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a ‘network leave’ request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router. | ||||
| CVE-2025-6723 | 1 Chef | 1 Inspec | 2026-02-04 | N/A |
| Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23. | ||||
| CVE-2025-4686 | 1 Kodmatic | 1 Online Exam And Assessment | 2026-02-04 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15497 | 1 Openvpn | 1 Openvpn | 2026-02-04 | N/A |
| Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service | ||||
| CVE-2025-1395 | 1 Codriapp | 1 Heygarson | 2026-02-04 | 8.2 High |
| Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way. | ||||
| CVE-2019-25232 | 1 Netpclinker | 1 Netpclinker | 2026-02-04 | 9.8 Critical |
| NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client. | ||||
| CVE-2020-36998 | 1 Forma | 1 E-learning Suite | 2026-02-04 | 6.4 Medium |
| Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. | ||||
| CVE-2020-37024 | 1 Nidesoft | 1 Dvd Ripper | 2026-02-04 | 8.4 High |
| Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode. | ||||
| CVE-2020-37025 | 1 Upredsun | 1 Port Forwarding Wizard | 2026-02-04 | 8.4 High |
| Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems. | ||||
| CVE-2020-37058 | 1 Andrea Electronics | 1 Andrea St Filters Service | 2026-02-04 | 7.8 High |
| Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. | ||||
| CVE-2020-37023 | 1 Koken | 1 Cms | 2026-02-04 | 8.8 High |
| Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | ||||
| CVE-2020-37026 | 1 Midgetspy | 1 Sickbeard | 2026-02-04 | 5.3 Medium |
| Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection. | ||||
| CVE-2020-37027 | 1 Midgetspy | 1 Sickbeard | 2026-02-04 | 9.8 Critical |
| Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. | ||||
| CVE-2020-37029 | 1 K.soft | 1 Ftpdummy | 2026-02-04 | 8.4 High |
| FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands. | ||||
| CVE-2020-37031 | 1 Ashkon | 1 Simple Startup Manager | 2026-02-04 | 8.4 High |
| Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. Attackers can craft a malicious payload with 268 bytes to trigger code execution, bypassing DEP and overwriting memory addresses to launch calc.exe. | ||||
| CVE-2020-37060 | 1 Drive-software | 1 Atomic Alarm Clock X86 | 2026-02-04 | 7.8 High |
| Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access. | ||||
| CVE-2025-11175 | 1 Wikimedia | 1 Mediawiki-discussiontools Extension | 2026-02-04 | N/A |
| Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43. | ||||