Export limit exceeded: 325300 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (325300 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67986 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7. | ||||
| CVE-2025-68065 | 2 Liquidthemes, Wordpress | 2 Hub, Wordpress | 2026-02-04 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8. | ||||
| CVE-2025-68070 | 2 Vektor, Wordpress | 2 Vk Google Job Posting Manager, Wordpress | 2026-02-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21. | ||||
| CVE-2025-68078 | 2 Themenectar, Wordpress | 2 Salient Core, Wordpress | 2026-02-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2. | ||||
| CVE-2025-68084 | 2 Nitesh Singh, Wordpress | 2 Ultimate Wordpress Auction Plugin, Wordpress | 2026-02-04 | 5.4 Medium |
| Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | ||||
| CVE-2025-68088 | 2 Merkulove, Wordpress | 2 Huger For Elementor, Wordpress | 2026-02-04 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5. | ||||
| CVE-2019-19006 | 1 Sangoma | 1 Freepbx | 2026-02-04 | 9.8 Critical |
| Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. | ||||
| CVE-2025-62610 | 1 Hono | 1 Hono | 2026-02-04 | 8.1 High |
| Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2. | ||||
| CVE-2021-39935 | 1 Gitlab | 1 Gitlab | 2026-02-04 | 6.8 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API | ||||
| CVE-2026-24398 | 1 Hono | 1 Hono | 2026-02-04 | 4.8 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. | ||||
| CVE-2026-24472 | 1 Hono | 1 Hono | 2026-02-04 | 5.3 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | ||||
| CVE-2026-24473 | 1 Hono | 1 Hono | 2026-02-04 | 5.3 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | ||||
| CVE-2026-24771 | 1 Hono | 1 Hono | 2026-02-04 | 4.7 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. | ||||
| CVE-2025-50537 | 2 Eslint, Openjsf | 2 Eslint, Eslint | 2026-02-04 | 5.5 Medium |
| Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow. | ||||
| CVE-2025-48780 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 9.8 Critical |
| A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object. | ||||
| CVE-2025-48781 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 7.5 High |
| An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths. | ||||
| CVE-2025-61686 | 1 Shopify | 3 React-router\/node, Remix-run\/deno, Remix-run\/node | 2026-02-04 | 9.1 Critical |
| React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. | ||||
| CVE-2025-48782 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 9.8 Critical |
| An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file. | ||||
| CVE-2025-48783 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 7.5 High |
| An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths. | ||||
| CVE-2025-48784 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 7.5 High |
| A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization. | ||||