Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
16,974 matching · page 176/340Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-21248(opens NVD record) | High | 7.3 | Heap-based buffer overflow in Windows Hyper-V allows an authorized attacker to execute code locally. | Feb 10, 2026 |
| CVE-2026-21247(opens NVD record) | High | 7.3 | Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. | Feb 10, 2026 |
| CVE-2026-21246(opens NVD record) | High | 7.8 | Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21245(opens NVD record) | High | 7.8 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21244(opens NVD record) | High | 7.3 | Heap-based buffer overflow in Windows Hyper-V allows an authorized attacker to execute code locally. | Feb 10, 2026 |
| CVE-2026-21243(opens NVD record) | High | 7.5 | Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network. | Feb 10, 2026 |
| CVE-2026-21242(opens NVD record) | High | 7.0 | Use after free in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21241(opens NVD record) | High | 7.0 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21240(opens NVD record) | High | 7.8 | Time-of-check time-of-use (toctou) race condition in Windows HTTP.sys allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21239(opens NVD record) | High | 7.8 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21238(opens NVD record) | High | 7.8 | Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21237(opens NVD record) | High | 7.0 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21236(opens NVD record) | High | 7.8 | Heap-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21235(opens NVD record) | High | 7.3 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21234(opens NVD record) | High | 7.0 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21232(opens NVD record) | High | 7.8 | Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21231(opens NVD record) | High | 7.8 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally. | Feb 10, 2026 |
| CVE-2026-21229(opens NVD record) | High | 8.0 | Improper input validation in Power BI allows an authorized attacker to execute code over a network. | Feb 10, 2026 |
| CVE-2026-21228(opens NVD record) | High | 8.1 | Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network. | Feb 10, 2026 |
| CVE-2026-21222(opens NVD record) | Medium | 5.5 | Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. | Feb 10, 2026 |
| CVE-2026-21218(opens NVD record) | High | 7.5 | Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network. | Feb 10, 2026 |
| CVE-2026-20846(opens NVD record) | High | 7.5 | Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. | Feb 10, 2026 |
| CVE-2026-20841(opens NVD record) | High | 7.8 | Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code locally. | Feb 10, 2026 |
| CVE-2026-1997(opens NVD record) | Medium | 5.3 | Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing (CORS) is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedded Web Server (EWS). Keeping CORS disabled unless explicitly required helps ensure that only trusted solutions can interact with the device. | Feb 10, 2026 |
| CVE-2026-1996(opens NVD record) | Medium | 5.3 | Certain HP OfficeJet Pro printers may be vulnerable to potential denial of service when the IPP requests are mishandled, failing to establish a TCP connection. | Feb 10, 2026 |
| CVE-2026-22153(opens NVD record) | High | 8.1 | An Authentication Bypass by Primary Weakness vulnerability [CWE-305] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4 may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, when the remote LDAP server is configured in a specific way. | Feb 10, 2026 |
| CVE-2026-21743(opens NVD record) | High | 7.2 | A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint. | Feb 10, 2026 |
| CVE-2026-1603(opens NVD record) | High | 8.6 | An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | Feb 10, 2026 |
| CVE-2026-1602(opens NVD record) | Medium | 6.5 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | Feb 10, 2026 |
| CVE-2025-68686(opens NVD record) | Medium | 5.9 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level. | Feb 10, 2026 |
| CVE-2025-64157(opens NVD record) | Medium | 6.7 | A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. | Feb 10, 2026 |
| CVE-2025-62676(opens NVD record) | High | 7.1 | An Improper Link Resolution Before File Access ('Link Following') vulnerability [CWE-59] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.4, FortiClientWindows 7.2.0 through 7.2.12, FortiClientWindows 7.0 all versions may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages. | Feb 10, 2026 |
| CVE-2025-55018(opens NVD record) | Medium | 5.8 | An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header | Feb 10, 2026 |
| CVE-2025-52436(opens NVD record) | High | 8.8 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. | Feb 10, 2026 |
| CVE-2026-25639(opens NVD record) | High | 7.5 | Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5. | Feb 9, 2026 |
| CVE-2026-2141(opens NVD record) | Medium | 6.3 | A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | Feb 8, 2026 |
| CVE-2026-25859(opens NVD record) | High | 8.8 | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | Feb 7, 2026 |
| CVE-2026-25858(opens NVD record) | Critical | 9.1 | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | Feb 7, 2026 |
| CVE-2026-25568(opens NVD record) | Medium | 4.3 | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | Feb 7, 2026 |
| CVE-2026-25567(opens NVD record) | Medium | 4.3 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | Feb 7, 2026 |
| CVE-2026-25566(opens NVD record) | Medium | 5.4 | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. | Feb 7, 2026 |
| CVE-2026-25565(opens NVD record) | Medium | 6.5 | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | Feb 7, 2026 |
| CVE-2026-25564(opens NVD record) | High | 7.5 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | Feb 7, 2026 |
| CVE-2026-25563(opens NVD record) | High | 7.5 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | Feb 7, 2026 |
| CVE-2026-25562(opens NVD record) | Medium | 4.3 | WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users. | Feb 7, 2026 |
| CVE-2026-25561(opens NVD record) | High | 7.5 | WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. | Feb 7, 2026 |
| CVE-2026-25560(opens NVD record) | Critical | 9.8 | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication. | Feb 7, 2026 |
| CVE-2026-1731(opens NVD record) | Critical | 9.8 | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | Feb 6, 2026 |
| CVE-2026-1709(opens NVD record) | Critical | 9.4 | A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate. | Feb 6, 2026 |
| CVE-2026-1769(opens NVD record) | Medium | 5.3 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | Feb 6, 2026 |