Total
331311 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-43181 | 1 Ibm | 1 Concert | 2026-02-05 | 6.3 Medium |
| IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2020-37137 | 2026-02-05 | 6.1 Medium | ||
| PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. | ||||
| CVE-2020-37140 | 2026-02-05 | 5.5 Medium | ||
| Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. | ||||
| CVE-2025-65783 | 1 Hubert | 1 Hub | 2026-02-05 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2025-15557 | 2026-02-05 | N/A | ||
| An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | ||||
| CVE-2025-68722 | 2026-02-05 | N/A | ||
| Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. | ||||
| CVE-2026-1962 | 2026-02-05 | 6.3 Medium | ||
| A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. | ||||
| CVE-2025-15551 | 2026-02-05 | N/A | ||
| The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. | ||||
| CVE-2025-66698 | 2 Semantic, Semantic-machines | 2 Machines, Veda | 2026-02-05 | 8.6 High |
| An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | ||||
| CVE-2025-12131 | 2026-02-05 | N/A | ||
| A truncated 802.15.4 packet can lead to an assert, resulting in a denial of service. | ||||
| CVE-2025-68721 | 2026-02-05 | N/A | ||
| Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. | ||||
| CVE-2025-33081 | 1 Ibm | 1 Concert | 2026-02-05 | 3.3 Low |
| IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. | ||||
| CVE-2026-1884 | 1 Zentao | 1 Zentao | 2026-02-05 | 4.7 Medium |
| A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-25051 | 1 N8n | 1 N8n | 2026-02-05 | 5.4 Medium |
| n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. | ||||
| CVE-2026-1301 | 2026-02-05 | N/A | ||
| In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory. | ||||
| CVE-2026-25049 | 1 N8n | 1 N8n | 2026-02-05 | 9.9 Critical |
| n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2. | ||||
| CVE-2026-1196 | 1 Mineadmin | 1 Mineadmin | 2026-02-05 | 3.1 Low |
| A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-0106 | 2026-02-05 | N/A | ||
| In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-1814 | 1 Rapid7 | 1 Nexpose | 2026-02-05 | N/A |
| A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. | ||||
| CVE-2026-1761 | 1 Redhat | 5 Enterprise Linux, Enterprise Linux Eus, Rhel E4s and 2 more | 2026-02-05 | 8.6 High |
| A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. | ||||