Search
Search Results (331571 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2074 | 2026-02-07 | 6.3 Medium | ||
| A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-2075 | 2026-02-07 | 6.3 Medium | ||
| A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-21643 | 1 Fortinet | 1 Forticlientems | 2026-02-07 | 9.1 Critical |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | ||||
| CVE-2025-64175 | 2026-02-07 | N/A | ||
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||||
| CVE-2025-64111 | 2026-02-07 | N/A | ||
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||||
| CVE-2026-0106 | 1 Google | 1 Android | 2026-02-07 | 9.3 Critical |
| In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-24302 | 1 Microsoft | 1 Azure Arc | 2026-02-07 | 8.6 High |
| Azure Arc Elevation of Privilege Vulnerability | ||||
| CVE-2026-24300 | 1 Microsoft | 1 Azure Front Door | 2026-02-07 | 9.8 Critical |
| Azure Front Door Elevation of Privilege Vulnerability | ||||
| CVE-2025-15566 | 1 Kubernetes | 1 Ingress-nginx | 2026-02-07 | 8.8 High |
| A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | ||||
| CVE-2026-2073 | 2026-02-07 | 7.3 High | ||
| A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-25845 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25844 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25843 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25842 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25841 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25840 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25839 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25838 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2026-25837 | 2026-02-07 | N/A | ||
| Not used | ||||
| CVE-2025-31990 | 2026-02-07 | 6.8 Medium | ||
| Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7. | ||||