Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22903 | 2026-02-09 | N/A | 9.8 CRITICAL | ||
|
An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
|
|||||
| CVE-2025-66596 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product does not
properly validate request headers. When an attacker inserts an invalid host
header, users could be redirected to malicious sites.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66595 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product is
vulnerable to Cross-Site Request Forgery (CSRF). When a user accesses a link
crafted by an attacker, the user’s account could be compromised.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-24027 | 2026-02-09 | N/A | 5.3 MEDIUM | ||
|
Crafted zones can lead to increased incoming network traffic.
|
|||||
| CVE-2026-2216 | 2026-02-09 | 4.0 MEDIUM | 4.3 MEDIUM | ||
|
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function download_export_file of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used.
|
|||||
| CVE-2025-66607 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
The response header
contains an insecure setting. Users could be redirected to malicious sites by
an attacker.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66598 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product supports
old SSL/TLS versions, potentially allowing an attacker to decrypt
communications with the web server.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-59023 | 2026-02-09 | N/A | 8.2 HIGH | ||
|
Crafted delegations or IP fragments can poison cached delegations in Recursor.
|
|||||
| CVE-2026-1675 | 2026-02-09 | N/A | 5.3 MEDIUM | ||
|
The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value.
|
|||||
| CVE-2026-25904 | 2026-02-09 | N/A | 5.8 MEDIUM | ||
|
The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
|
|||||
| CVE-2025-10464 | 2026-02-09 | N/A | 6.5 MEDIUM | ||
|
Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-2215 | 2026-02-09 | 2.6 LOW | 3.7 LOW | ||
|
A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used.
|
|||||
| CVE-2026-0555 | 2026-02-09 | N/A | 6.4 MEDIUM | ||
|
The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Prem ...
Show More |
|||||
| CVE-2025-66594 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
Detailed messages are displayed on the error
page. This information could be exploited by an attacker for other attacks.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-10465 | 2026-02-09 | N/A | 8.8 HIGH | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server.This issue affects Sensaway: through 09022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1868 | 2026-02-09 | N/A | 9.9 CRITICAL | ||
|
GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway. This has been fixed in versions 18.6.2, 18.7.1, and 18.8.1 of the Gi ...
Show More |
|||||
| CVE-2026-1613 | 2026-02-09 | N/A | 6.4 MEDIUM | ||
|
The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-10463 | 2026-02-09 | N/A | 7.3 HIGH | ||
|
Improper Authentication vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Authentication Abuse.This issue affects Senseway: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1573 | 2026-02-09 | N/A | 6.4 MEDIUM | ||
|
The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-66608 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product does not
properly validate URLs. An attacker could send specially crafted requests to
steal files from the web server.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-0870 | 2026-02-09 | N/A | 7.8 HIGH | ||
|
MacroHub developed by GIGABYTE has a Local Privilege Escalation vulnerability. Due to the MacroHub application launching external applications with improper privileges, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges.
|
|||||
| CVE-2026-22906 | 2026-02-09 | N/A | 9.8 CRITICAL | ||
|
User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
|
|||||
| CVE-2026-24466 | 2026-02-09 | N/A | 6.7 MEDIUM | ||
|
Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
|
|||||
| CVE-2025-7708 | 2026-02-09 | N/A | 6.8 MEDIUM | ||
|
Insertion of Sensitive Information Into Sent Data vulnerability in Atlas Educational Software Industry Ltd. Co. K12net allows Communication Channel Manipulation.This issue affects k12net: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-22904 | 2026-02-09 | N/A | 9.8 CRITICAL | ||
|
Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.
|
|||||
| CVE-2025-66600 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product lacks
HSTS (HTTP Strict Transport Security) configuration. When an attacker performs
a Man in the middle (MITM) attack, communications with the web server could be
sniffed.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-22905 | 2026-02-09 | N/A | 7.5 HIGH | ||
|
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
|
|||||
| CVE-2026-22613 | 2026-02-09 | N/A | 5.7 MEDIUM | ||
|
The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton
Network M3
which is available on the Eaton download center.
|
|||||
| CVE-2025-66599 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
Physical paths could
be displayed on web pages. This information could be exploited by an attacker
for other attacks.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-25916 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
|
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
|
|||||
| CVE-2025-59024 | 2026-02-09 | N/A | 6.5 MEDIUM | ||
|
Crafted delegations or IP fragments can poison cached delegations in Recursor.
|
|||||
| CVE-2025-15477 | 2026-02-09 | N/A | 6.5 MEDIUM | ||
|
The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information ...
Show More |
|||||
| CVE-2025-15476 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
|
The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items.
|
|||||
| CVE-2026-1570 | 2026-02-09 | N/A | 6.4 MEDIUM | ||
|
The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2026-1634 | 2026-02-09 | N/A | 6.1 MEDIUM | ||
|
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1959 | 2026-02-09 | N/A | N/A | ||
|
Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the
'descripción'
parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.
|
|||||
| CVE-2026-25905 | 2026-02-09 | N/A | 5.8 MEDIUM | ||
|
The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
|
|||||
| CVE-2026-1611 | 2026-02-09 | N/A | 6.4 MEDIUM | ||
|
The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-7799 | 2026-02-09 | N/A | 8.6 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.This issue affects e-Taxpayer Accounting Website: through 07082025.
|
|||||
| CVE-2026-2234 | 2026-02-09 | N/A | 9.1 CRITICAL | ||
|
C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.
|
|||||