Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64483 | 2026-02-06 | N/A | N/A | ||
|
Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0.
|
|||||
| CVE-2026-1152 | 1 Technical-laohu | 1 Mpay | 2026-02-06 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2026-1963 | 2026-02-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised.
|
|||||
| CVE-2026-1196 | 1 Mineadmin | 1 Mineadmin | 2026-02-05 | 2.1 LOW | 3.1 LOW |
|
A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1194 | 1 Mineadmin | 1 Mineadmin | 2026-02-05 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1197 | 1 Mineadmin | 1 Mineadmin | 2026-02-05 | 2.1 LOW | 3.1 LOW |
|
A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-63686 | 1 Guominjim | 1 Personmanage | 2026-02-04 | N/A | 6.5 MEDIUM |
|
There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system.
|
|||||
| CVE-2025-63225 | 1 Eurolab-srl | 2 Elts 100, Elts 100 Firmware | 2026-02-04 | N/A | 9.8 CRITICAL |
|
The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation.
|
|||||
| CVE-2026-24473 | 1 Hono | 1 Hono | 2026-02-04 | N/A | 5.3 MEDIUM |
|
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
|
|||||
| CVE-2025-6592 | 2026-02-04 | N/A | N/A | ||
|
Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php.
This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0.
|
|||||
| CVE-2024-45326 | 1 Fortinet | 1 Fortideceptor | 2026-02-04 | N/A | 4.3 MEDIUM |
|
An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with none privileges to perform operations on the central management appliance via crafted requests.
|
|||||
| CVE-2026-1117 | 2026-02-03 | N/A | 8.2 HIGH | ||
|
A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state cor ...
Show More |
|||||
| CVE-2026-1742 | 2026-02-03 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-21962 | 1 Oracle | 2 Http Server, Weblogic Server Proxy Plug-in | 2026-02-03 | N/A | 10.0 CRITICAL |
|
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in O ...
Show More |
|||||
| CVE-2025-69822 | 1 Atomberg | 2 Erica Smart Fan, Erica Smart Fan Firmware | 2026-02-02 | N/A | 7.4 HIGH |
|
An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame
|
|||||
| CVE-2025-68716 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | N/A | 8.4 HIGH |
|
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges.
|
|||||
| CVE-2025-57130 | 1 Zwiicms | 1 Zwiicms | 2026-02-02 | N/A | 8.3 HIGH |
|
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.
|
|||||
| CVE-2025-46691 | 2026-02-02 | N/A | 7.8 HIGH | ||
|
Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
|
|||||
| CVE-2025-70985 | 1 Ruoyi | 1 Ruoyi | 2026-01-30 | N/A | 9.1 CRITICAL |
|
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
|
|||||
| CVE-2025-70986 | 1 Ruoyi | 1 Ruoyi | 2026-01-30 | N/A | 7.5 HIGH |
|
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.
|
|||||
| CVE-2026-1407 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-01-30 | 1.2 LOW | 2.0 LOW |
|
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not ...
Show More |
|||||
| CVE-2026-21636 | 1 Nodejs | 1 Node.js | 2026-01-30 | N/A | 10.0 CRITICAL |
|
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code exec ...
Show More |
|||||
| CVE-2026-1411 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-01-30 | 5.9 MEDIUM | 6.1 MEDIUM |
|
A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-23495 | 1 Pimcore | 1 Admin Classic Bundle | 2026-01-30 | N/A | 4.3 MEDIUM |
|
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed tha ...
Show More |
|||||
| CVE-2026-23496 | 1 Pimcore | 1 Web2print Tools | 2026-01-30 | N/A | 5.4 MEDIUM |
|
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed ...
Show More |
|||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | N/A | 7.4 HIGH |
|
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
|
|||||
| CVE-2025-64706 | 1 Typebot | 1 Typebot | 2026-01-30 | N/A | 5.0 MEDIUM |
|
Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue.
|
|||||
| CVE-2026-21635 | 1 Ui | 2 Unifi Connect Ev Station Lite, Unifi Connect Ev Station Lite Firmware | 2026-01-30 | N/A | 5.3 MEDIUM |
|
An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.
|
|||||
| CVE-2026-20912 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 9.1 CRITICAL |
|
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
|
|||||
| CVE-2026-20904 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 6.5 MEDIUM |
|
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
|
|||||
| CVE-2026-20897 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 9.1 CRITICAL |
|
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
|
|||||
| CVE-2026-20888 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 4.3 MEDIUM |
|
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
|
|||||
| CVE-2026-0798 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 3.5 LOW |
|
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
|
|||||
| CVE-2026-20883 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 6.5 MEDIUM |
|
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
|
|||||
| CVE-2026-20750 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 9.1 CRITICAL |
|
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
|
|||||
| CVE-2026-20736 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 7.5 HIGH |
|
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
|
|||||
| CVE-2026-21961 | 1 Oracle | 1 Peoplesoft Enterprise Hcm Human Resources | 2026-01-29 | N/A | 6.1 MEDIUM |
|
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM ...
Show More |
|||||
| CVE-2026-21960 | 1 Oracle | 1 Applications Dba | 2026-01-29 | N/A | 6.5 MEDIUM |
|
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized acc ...
Show More |
|||||
| CVE-2026-21959 | 1 Oracle | 1 Workflow | 2026-01-29 | N/A | 4.9 MEDIUM |
|
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vecto ...
Show More |
|||||
| CVE-2026-24035 | 1 Horilla | 1 Horilla | 2026-01-29 | N/A | 4.3 MEDIUM |
|
Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of a ...
Show More |
|||||