Total
140 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26275 | 1 Junkurihara | 1 Httpsig-hyper | 2026-03-03 | N/A | 7.5 HIGH |
|
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly ret ...
Show More |
|||||
| CVE-2024-39534 | 1 Juniper | 1 Junos Os Evolved | 2026-01-23 | N/A | 5.4 MEDIUM |
|
An Incorrect Comparison vulnerability in the local address verification API of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker to create sessions or send traffic to the device using the network and broadcast address of the subnet assigned to an interface. This is unintended and unexpected behavior and can allow an attacker to bypass certain compensating controls, such as stateless firewall filters.
This issue affects Junos OS Evolved:
* All versions ...
Show More |
|||||
| CVE-2026-21691 | 1 Color | 1 Iccdev | 2026-01-12 | N/A | 5.4 MEDIUM |
|
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
|
|||||
| CVE-2025-20343 | 1 Cisco | 1 Identity Services Engine | 2025-11-19 | N/A | 8.6 HIGH |
|
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly.
This vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to ...
Show More |
|||||
| CVE-2025-12192 | 2025-11-06 | N/A | 5.3 MEDIUM | ||
|
The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
|
|||||
| CVE-2023-49994 | 1 Espeak-ng | 1 Espeak-ng | 2025-11-04 | N/A | 5.5 MEDIUM |
|
Espeak-ng 1.52-dev was discovered to contain a Floating Point Exception via the function PeaksToHarmspect at wavegen.c.
|
|||||
| CVE-2023-46009 | 1 Lcdf | 1 Gifsicle | 2025-11-04 | N/A | 7.8 HIGH |
|
gifsicle-1.94 was found to have a floating point exception (FPE) vulnerability via resize_stream at src/xform.c.
|
|||||
| CVE-2024-34340 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | N/A | 9.1 CRITICAL |
|
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is i ...
Show More |
|||||
| CVE-2024-4032 | 2025-11-03 | N/A | 7.5 HIGH | ||
|
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.
CPython 3.12.4 and 3.13.0a6 contain updated informati ...
Show More |
|||||
| CVE-2024-9681 | 1 Haxx | 1 Curl | 2025-11-03 | N/A | 6.5 MEDIUM |
|
When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.
This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.
(The HSTS cache either needs to have been populated manually or there needs to
have been previo ...
Show More |
|||||
| CVE-2024-5217 | 1 Servicenow | 1 Servicenow | 2025-11-03 | N/A | 9.8 CRITICAL |
|
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as ...
Show More |
|||||
| CVE-2020-5849 | 1 Unraid | 1 Unraid | 2025-10-31 | 5.0 MEDIUM | 7.5 HIGH |
|
Unraid 6.8.0 allows authentication bypass.
|
|||||
| CVE-2025-9401 | 1 Utcms Project | 1 Utcms | 2025-10-31 | 2.6 LOW | 3.7 LOW |
|
A vulnerability has been found in HuangDou UTCMS 9. This vulnerability affects unknown code of the file app/modules/ut-frame/admin/login.php of the component Login. Such manipulation of the argument code leads to incorrect comparison. The attack can be executed remotely. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not re ...
Show More |
|||||
| CVE-2024-29026 | 1 Owncast Project | 1 Owncast | 2025-10-14 | N/A | 8.2 HIGH |
|
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
|
|||||
| CVE-2024-53861 | 1 Pyjwt Project | 1 Pyjwt | 2025-09-22 | N/A | 2.2 LOW |
|
pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks ...
Show More |
|||||
| CVE-2025-47416 | 2025-09-09 | N/A | N/A | ||
|
A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc. so imported by ctpd that may lead to unauthorized execution of an attacker-defined file that gets prioritized by the ConsoleFindCommandMatchList.
A third-party researcher discovered that the ConsoleFindCommandMatchList enumerates the /dev/shm/symproc/c directory in alphabetical order to identify console commands. Permission levels are inferred from the integer values present in each command's file name.
Conf ...
Show More |
|||||
| CVE-2024-28246 | 1 Katex | 1 Katex | 2025-09-02 | N/A | 5.5 MEDIUM |
|
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX ...
Show More |
|||||
| CVE-2025-54336 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
|
In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
|
|||||
| CVE-2025-27909 | 1 Ibm | 1 Concert | 2025-08-21 | N/A | 5.4 MEDIUM |
|
IBM Concert Software 1.0.0 through 1.1.0 uses cross-origin resource sharing (CORS) which could allow an attacker to carry out privileged actions as the domain name is not being limited to only trusted domains.
|
|||||
| CVE-2024-5528 | 1 Gitlab | 1 Gitlab | 2025-08-06 | N/A | 3.5 LOW |
|
An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.
|
|||||
| CVE-2025-48952 | 1 Netalertx | 1 Netalertx | 2025-08-06 | N/A | 9.4 CRITICAL |
|
NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable versions of the application, a password comparison is performed using the `==` operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypas ...
Show More |
|||||
| CVE-2025-4515 | 1 Pribai | 1 Privategpt | 2025-07-08 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2022-31650 | 1 Sound Exchange Project | 1 Sound Exchange | 2025-06-27 | 4.3 MEDIUM | 5.5 MEDIUM |
|
In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a.
|
|||||
| CVE-2023-32627 | 3 Fedoraproject, Redhat, Sound Exchange Project | 4 Extra Packages For Enterprise Linux, Fedora, Enterprise Linux and 1 more | 2025-06-27 | N/A | 6.2 MEDIUM |
|
A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.
|
|||||
| CVE-2023-26590 | 3 Fedoraproject, Redhat, Sound Exchange Project | 4 Extra Packages For Enterprise Linux, Fedora, Enterprise Linux and 1 more | 2025-06-27 | N/A | 6.2 MEDIUM |
|
A floating point exception vulnerability was found in sox, in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This flaw can lead to a denial of service.
|
|||||
| CVE-2022-35091 | 1 Swftools | 1 Swftools | 2025-05-22 | N/A | 5.5 MEDIUM |
|
SWFTools commit 772e55a2 was discovered to contain a floating point exception (FPE) via DCTStream::readMCURow() at /xpdf/Stream.cc.ow()
|
|||||
| CVE-2021-47370 | 1 Linux | 1 Linux Kernel | 2025-05-12 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure tx skbs always have the MPTCP ext
Due to signed/unsigned comparison, the expression:
info->size_goal - skb->len > 0
evaluates to true when the size goal is smaller than the
skb size. That results in lack of tx cache refill, so that
the skb allocated by the core TCP code lacks the required
MPTCP skb extensions.
Due to the above, syzbot is able to trigger the following WARN_ON():
WARNING: CPU: 1 PID: 810 at ne ...
Show More |
|||||
| CVE-2016-10003 | 1 Squid-cache | 1 Squid | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients.
|
|||||
| CVE-2022-41317 | 1 Squid-cache | 1 Squid | 2025-04-14 | N/A | 6.5 MEDIUM |
|
An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
|
|||||
| CVE-2025-3102 | 2025-04-11 | N/A | 8.1 HIGH | ||
|
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
|
|||||
| CVE-2011-3903 | 1 Google | 1 Chrome | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Google Chrome before 16.0.912.63 does not properly perform regex matching, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
|
|||||
| CVE-2005-2801 | 1 Linux | 1 Linux Kernel | 2025-04-03 | 5.0 MEDIUM | 7.5 HIGH |
|
xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.
|
|||||
| CVE-2022-47034 | 1 Playsms | 1 Playsms | 2025-03-21 | N/A | 9.8 CRITICAL |
|
A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication.
|
|||||
| CVE-2023-40037 | 1 Apache | 1 Nifi | 2025-02-13 | N/A | 6.5 MEDIUM |
|
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
|
|||||
| CVE-2024-2223 | 1 Bitdefender | 2 Endpoint Security, Gravityzone Control Center | 2025-02-07 | N/A | 8.1 HIGH |
|
An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089
Bitdefender Endpoint Security for Windows version 7.9.9.380
GravityZone Control Center (On Premises) version 6.36.1
|
|||||
| CVE-2022-29944 | 1 Opennetworking | 1 Onos | 2025-02-05 | N/A | 5.3 MEDIUM |
|
An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of paths installed by intents. An existing intents does not redirect to a new path, even if a new intent that shares the path with higher priority is installed.
|
|||||
| CVE-2021-38364 | 1 Opennetworking | 1 Onos | 2025-02-05 | N/A | 6.5 MEDIUM |
|
An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of flow rules installed by intents. A remote attacker can install or remove a new intent, and consequently modify or delete the existing flow rules related to other intents.
|
|||||
| CVE-2023-40271 | 1 Arm | 1 Trusted Firmware-m | 2024-11-27 | N/A | 7.5 HIGH |
|
In Trusted Firmware-M through TF-Mv1.8.0, for platforms that integrate the CryptoCell accelerator, when the CryptoCell PSA Driver software Interface is selected, and the Authenticated Encryption with Associated Data Chacha20-Poly1305 algorithm is used, with the single-part verification function (defined during the build-time configuration phase) implemented with a dedicated function (i.e., not relying on usage of multipart functions), the buffer comparison during the verification of the authenti ...
Show More |
|||||
| CVE-2024-39742 | 1 Ibm | 1 Mq Operator | 2024-11-21 | N/A | 8.1 HIGH |
|
IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 could allow a user to bypass authentication under certain configurations due to a partial string comparison vulnerability. IBM X-Force ID: 297169.
|
|||||
| CVE-2024-38522 | 1 Hushline | 1 Hush Line | 2024-11-21 | N/A | 6.3 MEDIUM |
|
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The CSP policy applied on the `tips.hushline.app` website and bundled by default in this repository is trivial to bypass. This vulnerability has been patched in version 0.1.0.
|
|||||