Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15394 | 1 Idreamsoft | 1 Icms | 2026-01-13 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-15452 | 1 Wang.market | 1 Wangmarket | 2026-01-13 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-15451 | 1 Wang.market | 1 Wangmarket | 2026-01-13 | 3.3 LOW | 2.4 LOW |
|
A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2020-36875 | 2026-01-13 | N/A | N/A | ||
|
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
|
|||||
| CVE-2026-0491 | 2026-01-13 | N/A | 9.1 CRITICAL | ||
|
SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
|
|||||
| CVE-2025-15505 | 2026-01-13 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement.
|
|||||
| CVE-2025-69262 | 1 Pnpm | 1 Pnpm | 2026-01-12 | N/A | 7.5 HIGH |
|
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
|
|||||
| CVE-2025-55204 | 1 Muffon | 1 Muffon | 2026-01-12 | N/A | 8.8 HIGH |
|
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2. ...
Show More |
|||||
| CVE-2025-15416 | 1 Wang.market | 1 Wangmarket | 2026-01-12 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-54322 | 1 Xspeeder | 1 Sxzos | 2026-01-09 | N/A | 10.0 CRITICAL |
|
Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
|
|||||
| CVE-2025-66848 | 1 Jdcloud | 12 Ax1800, Ax1800 Firmware, Ax3000 and 9 more | 2026-01-09 | N/A | 9.8 CRITICAL |
|
JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.
|
|||||
| CVE-2026-0586 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-11093 | 1 Wso2 | 6 Api Control Plane, Api Manager, Enterprise Integrator and 3 more | 2026-01-09 | N/A | 8.4 HIGH |
|
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.
By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This m ...
Show More |
|||||
| CVE-2025-37164 | 1 Hpe | 1 Oneview | 2026-01-08 | N/A | 10.0 CRITICAL |
|
A remote code execution issue exists in HPE OneView.
|
|||||
| CVE-2025-4056 | 2 Gnome, Microsoft | 2 Glib, Windows | 2026-01-08 | N/A | 7.5 HIGH |
|
A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines.
|
|||||
| CVE-2025-15170 | 1 Advayasoftech | 1 Gems Erp Portal | 2026-01-07 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in Advaya Softech GEMS ERP Portal up to 2.1. This affects an unknown part of the file /home.jsp?isError=true of the component Error Message Handler. The manipulation of the argument Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2009-0556 | 1 Microsoft | 2 Office Powerpoint, Powerpoint | 2026-01-07 | 9.3 HIGH | 8.8 HIGH |
|
Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."
|
|||||
| CVE-2025-15214 | 1 Campcodes | 1 Park Ticketing System | 2026-01-07 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Campcodes Park Ticketing System 1.0. The impacted element is the function save_pricing of the file admin_class.php. The manipulation of the argument name/ride results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used.
|
|||||
| CVE-2023-51797 | 2 Fedoraproject, Ffmpeg | 2 Fedora, Ffmpeg | 2026-01-07 | N/A | 6.7 MEDIUM |
|
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showwaves.c:722:24 in showwaves_filter_frame
|
|||||
| CVE-2025-15145 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 3.3 LOW | 2.4 LOW |
|
A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15146 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15171 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15172 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in SohuTV CacheCloud up to 3.2.0. This impacts the function preview of the file src/main/java/com/sohu/cache/web/controller/RedisConfigTemplateController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15173 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 4.0 MEDIUM | 3.5 LOW |
|
A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15174 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 4.0 MEDIUM | 3.5 LOW |
|
A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this vulnerability is the function doAppAuditList of the file src/main/java/com/sohu/cache/web/controller/AppManageController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15175 | 1 Sohu | 1 Cachecloud | 2026-01-07 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doAppList/appCommandAnalysis of the file src/main/java/com/sohu/cache/web/controller/AppController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15200 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. The affected element is the function getExceptionStatisticsByClient/getCommandStatisticsByClient/doIndex of the file src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15201 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 4.0 MEDIUM | 3.5 LOW |
|
A flaw has been found in SohuTV CacheCloud up to 3.2.0. The impacted element is the function redirectNoPower of the file src/main/java/com/sohu/cache/web/controller/WebResourceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15202 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15203 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15204 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15219 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 4.0 MEDIUM | 3.5 LOW |
|
A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doMachineList/doPodList of the file src/main/java/com/sohu/cache/web/controller/MachineManageController.java. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15220 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This affects the function init of the file src/main/java/com/sohu/cache/web/controller/LoginController.java. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-15221 | 1 Sohu | 1 Cachecloud | 2026-01-06 | 4.0 MEDIUM | 3.5 LOW |
|
A flaw has been found in SohuTV CacheCloud up to 3.2.0. This vulnerability affects the function index of the file src/main/java/com/sohu/cache/web/controller/AppDataMigrateController.java. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2025-68619 | 1 Signalk | 1 Signal K Server | 2026-01-06 | N/A | 7.2 HIGH |
|
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing t ...
Show More |
|||||
| CVE-2025-65817 | 1 Lsc | 2 Smart Connect Indoor Ip Camera, Smart Connect Indoor Ip Camera Firmware | 2026-01-06 | N/A | 8.8 HIGH |
|
LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh.
|
|||||
| CVE-2025-14519 | 1 Baowzh | 1 Hfly | 2026-01-06 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is ...
Show More |
|||||
| CVE-2023-37466 | 1 Vm2 Project | 1 Vm2 | 2026-01-05 | N/A | 9.8 CRITICAL |
|
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
|
|||||
| CVE-2025-15393 | 1 Kodicms-kohana | 1 Kodicms | 2026-01-05 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-66438 | 1 Frappe | 1 Erpnext | 2026-01-05 | N/A | 8.8 HIGH |
|
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An au ...
Show More |
|||||