Total
334502 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15351 | 1 Anritsu | 1 Vectorstar | 2026-02-23 | N/A |
| Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | ||||
| CVE-2025-70149 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | 9.8 Critical |
| CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection in print_membership_card.php via the ID parameter. | ||||
| CVE-2025-13108 | 1 Ibm | 2 Db2 Merge Backup, Db2 Merge Backup For Linux Unix And Windows | 2026-02-23 | 5.5 Medium |
| IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources. | ||||
| CVE-2025-70150 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | 9.8 Critical |
| CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter. | ||||
| CVE-2024-55271 | 1 Phpgurukul | 1 Gym Management System | 2026-02-23 | 3.5 Low |
| A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpgurukul Gym Management System 1.0. This issue is present in the profile update functionality of the User Panel, specifically the /profile.php endpoint. | ||||
| CVE-2026-20796 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-23 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549 | ||||
| CVE-2026-26076 | 2 Pendulum-project, Tweedegolf | 2 Ntpd-rs, Ntpd-rs | 2026-02-23 | 7.5 High |
| ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1. | ||||
| CVE-2025-70141 | 2 Oretnom23, Sourcecodester | 2 Customer Support System, Customer Support System | 2026-02-23 | 9.4 Critical |
| SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification. | ||||
| CVE-2025-41738 | 1 Codesys | 22 Control For Beaglebone Sl, Control For Empc-a/imx6 Sl, Control For Empc-a\/imx6 Sl and 19 more | 2026-02-23 | 7.5 High |
| An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition. | ||||
| CVE-2026-26007 | 2 Cryptography.io, Pyca | 2 Cryptography, Cryptography | 2026-02-23 | 6.5 Medium |
| cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5. | ||||
| CVE-2025-41700 | 1 Codesys | 2 Codesys, Development System | 2026-02-23 | 7.8 High |
| An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | ||||
| CVE-2025-70296 | 2 Mealie, Mealie-recipes | 2 Mealie, Mealie | 2026-02-23 | 5.4 Medium |
| A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view. | ||||
| CVE-2025-70297 | 2 Mealie, Mealie-recipes | 2 Mealie, Mealie | 2026-02-23 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. | ||||
| CVE-2026-23476 | 2 Facturascripts, Neorazorx | 2 Facturascripts, Facturascripts | 2026-02-23 | 5.4 Medium |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8. | ||||
| CVE-2025-69210 | 1 Facturascripts | 1 Facturascripts | 2026-02-23 | 5.4 Medium |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue. | ||||
| CVE-2026-23997 | 2 Facturascripts, Neorazorx | 2 Facturascripts, Facturascripts | 2026-02-23 | 8 High |
| FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. | ||||
| CVE-2026-25513 | 2 Facturascripts, Neorazorx | 2 Facturascripts, Facturascripts | 2026-02-23 | 8.8 High |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. | ||||
| CVE-2026-25514 | 2 Facturascripts, Neorazorx | 2 Facturascripts, Facturascripts | 2026-02-23 | 8.8 High |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. | ||||
| CVE-2024-5462 | 1 Broadcom | 1 Fabric Operating System | 2026-02-23 | 7.5 High |
| If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified. | ||||
| CVE-2024-5461 | 1 Broadcom | 2 Brocade 6547, Fabric Operating System | 2026-02-23 | 8.0 High |
| Implementation of the Simple Network Management Protocol (SNMP) operating on the Brocade 6547 (FC5022) embedded switch blade, makes internal script calls to system.sh from within the SNMP binary. An authenticated attacker could perform command or parameter injection on SNMP operations that are only enabled on the Brocade 6547 (FC5022) embedded switch. This injection could allow the authenticated attacker to issue commands as Root. | ||||