Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
10,065 matching · page 153/202Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2025-69223(opens NVD record) | High | 7.5 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | Jan 5, 2026 |
| CVE-2026-21635(opens NVD record) | Medium | 5.3 | An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet. | Jan 5, 2026 |
| CVE-2026-21634(opens NVD record) | Medium | 6.5 | A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | Jan 5, 2026 |
| CVE-2026-21633(opens NVD record) | High | 8.8 | A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | Jan 5, 2026 |
| CVE-2025-67316(opens NVD record) | Medium | 5.4 | An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser. NOTE: The supplier is currently disputing this finding and the record is under review. | Jan 5, 2026 |
| CVE-2025-59467(opens NVD record) | High | 7.5 | A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. | Jan 5, 2026 |
| CVE-2025-57836(opens NVD record) | High | 7.8 | An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. | Jan 5, 2026 |
| CVE-2025-67160(opens NVD record) | High | 7.5 | An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. | Jan 2, 2026 |
| CVE-2025-67159(opens NVD record) | High | 7.5 | Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. | Jan 2, 2026 |
| CVE-2025-67158(opens NVD record) | High | 7.5 | An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. | Jan 2, 2026 |
| CVE-2024-55374(opens NVD record) | Medium | 5.3 | REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | Jan 2, 2026 |
| CVE-2025-67711(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67710(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67709(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67708(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67707(opens NVD record) | Medium | 5.6 | ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | Dec 31, 2025 |
| CVE-2025-67706(opens NVD record) | Medium | 5.6 | ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | Dec 31, 2025 |
| CVE-2025-67705(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67704(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2025-67703(opens NVD record) | Medium | 6.1 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | Dec 31, 2025 |
| CVE-2024-58315(opens NVD record) | High | 7.8 | Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot. | Dec 30, 2025 |
| CVE-2025-66723(opens NVD record) | High | 7.5 | inMusic Brands Engine DJ before 4.3.4 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths. | Dec 30, 2025 |
| CVE-2025-66835(opens NVD record) | High | 7.1 | TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context. | Dec 30, 2025 |
| CVE-2025-66848(opens NVD record) | Critical | 9.8 | JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. | Dec 30, 2025 |
| CVE-2025-67255(opens NVD record) | High | 8.8 | In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | Dec 29, 2025 |
| CVE-2025-67254(opens NVD record) | High | 7.5 | NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. | Dec 29, 2025 |
| CVE-2025-66737(opens NVD record) | Medium | 4.3 | Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component. | Dec 26, 2025 |
| CVE-2025-66738(opens NVD record) | High | 8.8 | An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component. | Dec 26, 2025 |
| CVE-2025-65885(opens NVD record) | Medium | 5.1 | An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) allowing local attackers to inject startup scripts via crafted .txt files in the :\Data directory. | Dec 26, 2025 |
| CVE-2025-64645(opens NVD record) | High | 7.7 | IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link. | Dec 26, 2025 |
| CVE-2025-36230(opens NVD record) | Medium | 5.4 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | Dec 26, 2025 |
| CVE-2025-36229(opens NVD record) | Low | 3.1 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers. | Dec 26, 2025 |
| CVE-2025-36228(opens NVD record) | Low | 3.8 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse. | Dec 26, 2025 |
| CVE-2025-36192(opens NVD record) | Medium | 6.7 | IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms. | Dec 26, 2025 |
| CVE-2025-14687(opens NVD record) | Medium | 4.3 | IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | Dec 26, 2025 |
| CVE-2025-13915(opens NVD record) | Critical | 9.8 | IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. | Dec 26, 2025 |
| CVE-2025-1721(opens NVD record) | Medium | 5.9 | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | Dec 26, 2025 |
| CVE-2025-12771(opens NVD record) | High | 7.8 | IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | Dec 26, 2025 |
| CVE-2025-36154(opens NVD record) | Medium | 6.2 | IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user. | Dec 24, 2025 |
| CVE-2025-33224(opens NVD record) | Critical | 9.8 | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | Dec 23, 2025 |
| CVE-2025-33223(opens NVD record) | Critical | 9.8 | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | Dec 23, 2025 |
| CVE-2025-33222(opens NVD record) | Critical | 9.8 | NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | Dec 23, 2025 |
| CVE-2025-67109(opens NVD record) | Critical | 10.0 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. | Dec 23, 2025 |
| CVE-2025-67108(opens NVD record) | Critical | 10.0 | eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. | Dec 23, 2025 |
| CVE-2025-65865(opens NVD record) | High | 7.5 | An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input. | Dec 23, 2025 |
| CVE-2025-65857(opens NVD record) | High | 7.5 | An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. | Dec 22, 2025 |
| CVE-2025-65856(opens NVD record) | Critical | 9.8 | Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. | Dec 22, 2025 |
| CVE-2025-67418(opens NVD record) | Critical | 9.8 | ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application. | Dec 22, 2025 |
| CVE-2025-67291(opens NVD record) | Medium | 6.1 | A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | Dec 22, 2025 |
| CVE-2025-67290(opens NVD record) | Medium | 6.1 | A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | Dec 22, 2025 |