Export limit exceeded: 10900 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10900 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59810 | 1 Fortinet | 3 Fortisoar, Fortisoaron-premise, Fortisoarpaas | 2026-01-14 | 6.2 Medium |
| An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests | ||||
| CVE-2025-59923 | 1 Fortinet | 1 Fortiauthenticator | 2026-01-14 | 2.6 Low |
| An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests. | ||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2026-01-13 | 9.8 Critical |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | ||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2026-01-13 | 9.8 Critical |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | ||||
| CVE-2025-65925 | 1 Zeroheight | 1 Zeroheight | 2026-01-13 | 6.5 Medium |
| An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported. | ||||
| CVE-2025-67070 | 2026-01-13 | 8.2 High | ||
| A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. | ||||
| CVE-2025-15069 | 1 Gmission | 1 Web Fax | 2026-01-13 | 7.1 High |
| Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 3.0.1 | ||||
| CVE-2023-33947 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | 2.7 Low |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | ||||
| CVE-2023-33946 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | 2.7 Low |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | ||||
| CVE-2025-69197 | 1 Pterodactyl | 1 Panel | 2026-01-12 | 6.5 Medium |
| Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0. | ||||
| CVE-2026-21694 | 1 Kromit | 1 Titra | 2026-01-12 | 6.8 Medium |
| Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50. | ||||
| CVE-2025-14942 | 1 Wolfssh | 1 Wolfssh | 2026-01-12 | 9.8 Critical |
| wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report. | ||||
| CVE-2026-21891 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2026-01-12 | 9.4 Critical |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-63221 | 1 Axeltechnology | 2 Puma, Puma Firmware | 2026-01-12 | 9.1 Critical |
| The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | ||||
| CVE-2025-63219 | 1 Itel | 3 Iso-fm, Iso-fm Firmware, Iso Fm Sfn Adapter | 2026-01-12 | 7.5 High |
| The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity. | ||||
| CVE-2025-63218 | 1 Axeltechnology | 4 Wolf1ms, Wolf1ms Firmware, Wolf2ms and 1 more | 2026-01-12 | 9.8 Critical |
| The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | ||||
| CVE-2024-2055 | 1 Articatech | 1 Artica Proxy | 2026-01-12 | 9.8 Critical |
| The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. | ||||
| CVE-2024-2056 | 1 Articatech | 1 Artica Proxy | 2026-01-12 | 9.8 Critical |
| Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the "tailon" service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov's 'tailon' GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed. | ||||
| CVE-2025-58770 | 1 Ami | 1 Aptio V | 2026-01-12 | 8.8 High |
| APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access. Successful exploitation of this vulnerability can lead to escalation of authorization and potentially impact Integrity and Availability. | ||||
| CVE-2025-58410 | 1 Imaginationtech | 2 Ddk, Graphics Ddk | 2026-01-12 | 7.5 High |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource. | ||||