Search
Search Results (328065 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66371 | 1 Iteras | 1 Peppol-py | 2026-01-15 | 5 Medium |
| Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | ||||
| CVE-2025-66370 | 1 Kivitendo | 1 Kivitendo | 2026-01-15 | 5 Medium |
| Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem. | ||||
| CVE-2025-11224 | 1 Gitlab | 1 Gitlab | 2026-01-15 | 7.7 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | ||||
| CVE-2025-66516 | 1 Apache | 1 Tika | 2026-01-15 | 8.4 High |
| Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. | ||||
| CVE-2026-21287 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-01-15 | 7.8 High |
| Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-23582 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23581 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23580 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23579 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23578 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23577 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23576 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23575 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23574 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2025-48371 | 1 Openfga | 2 Helm Charts, Openfga | 2026-01-15 | 8.8 High |
| OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible. | ||||
| CVE-2025-66877 | 1 Libming | 1 Libming | 2026-01-15 | 7.5 High |
| Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8. | ||||
| CVE-2025-66869 | 1 Libming | 1 Libming | 2026-01-15 | 7.5 High |
| Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8. | ||||
| CVE-2025-58318 | 1 Delta Electronics | 1 Diaview | 2026-01-15 | N/A |
| Delta Electronics DIAView has an authentication bypass vulnerability. | ||||
| CVE-2025-60935 | 1 Returnfi | 1 Blitz | 2026-01-15 | 6.5 Medium |
| An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token theft after successful authentication. | ||||
| CVE-2025-68706 | 1 Kuwfi | 3 Ac900, Ac900 Firmware, Ac900 Router | 2026-01-15 | 9.8 Critical |
| A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution. | ||||