Total
10086 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69822 | 1 Atomberg | 2 Erica Smart Fan, Erica Smart Fan Firmware | 2026-02-02 | 7.4 High |
| An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | ||||
| CVE-2025-68718 | 1 Kaysus | 2 Ks-wr1200, Ks-wr1200 Firmware | 2026-02-02 | 5.4 Medium |
| KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentication.) Any LAN-adjacent attacker can trivially log in with root privileges. | ||||
| CVE-2025-68719 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | 8.8 High |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device. | ||||
| CVE-2026-22240 | 2 Bluspark Global, Blusparkglobal | 2 Bluvoyix, Bluvoyix | 2026-02-02 | 7.5 High |
| The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | ||||
| CVE-2026-22237 | 2 Bluspark Global, Blusparkglobal | 2 Bluvoyix, Bluvoyix | 2026-02-02 | 9.8 Critical |
| The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. | ||||
| CVE-2026-23743 | 1 Discourse | 1 Discourse | 2026-01-30 | 7.5 High |
| Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | ||||
| CVE-2024-11090 | 1 Liquidweb | 1 Restrict Content | 2026-01-30 | 5.3 Medium |
| The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||
| CVE-2024-13086 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-30 | 5.3 Medium |
| An exposure of sensitive information vulnerability has been reported to affect product. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QTS 5.2.0.2851 build 20240808 and later QuTS hero h5.2.0.2851 build 20240808 and later | ||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | 7.4 High |
| Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | ||||
| CVE-2026-20800 | 1 Gitea | 1 Gitea | 2026-01-29 | 6.5 Medium |
| Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | ||||
| CVE-2024-56526 | 1 Oxid-esales | 1 Eshop | 2026-01-29 | 7.5 High |
| An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error. | ||||
| CVE-2026-21940 | 1 Oracle | 2 Agile Plm, Supply Chain Products Suite | 2026-01-29 | 7.5 High |
| Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | ||||
| CVE-2026-0905 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-29 | 9.8 Critical |
| Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | ||||
| CVE-2025-49184 | 1 Sick | 6 Baggage Analytics, Enterprise Analytics, Field Analytics and 3 more | 2026-01-29 | 7.5 High |
| A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product. | ||||
| CVE-2025-65090 | 1 Xwiki | 2 Full Calendar Macro, Xwiki | 2026-01-29 | 5.3 Medium |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6. | ||||
| CVE-2026-22645 | 2 Sick, Sick Ag | 2 Incoming Goods Suite, Incoming Goods Suite | 2026-01-29 | 5.3 Medium |
| The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | ||||
| CVE-2026-1060 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 5.3 Medium |
| The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. | ||||
| CVE-2026-21974 | 1 Oracle | 1 Life Sciences Central Designer | 2026-01-29 | 5.3 Medium |
| Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | ||||
| CVE-2025-25468 | 1 Ffmpeg | 1 Ffmpeg | 2026-01-29 | 6.5 Medium |
| FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. | ||||
| CVE-2025-61777 | 2 Flagforge, Flagforgectf | 2 Flagforge, Flagforge | 2026-01-28 | 9.4 Critical |
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | ||||