Search Results (14137 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-68157 2 Webpack, Webpack.js 2 Webpack, Webpack 2026-02-13 3.7 Low
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-29830 1 Microsoft 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more 2026-02-13 6.5 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29829 1 Microsoft 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more 2026-02-13 5.5 Medium
Use of uninitialized resource in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
CVE-2025-29959 1 Microsoft 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more 2026-02-13 6.5 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-68458 2 Webpack, Webpack.js 2 Webpack, Webpack 2026-02-13 3.7 Low
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
CVE-2025-49718 1 Microsoft 3 Sql Server, Sql Server 2019, Sql Server 2022 2026-02-13 7.5 High
Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network.
CVE-2025-49704 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-02-13 8.8 High
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2025-50157 1 Microsoft 17 Server, Server Service, Windows and 14 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-53719 1 Microsoft 16 Server, Windows, Windows 2008 and 13 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-53153 1 Microsoft 16 Server, Windows, Windows 2008 and 13 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-53148 1 Microsoft 16 Server, Windows, Windows 2008 and 13 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-53138 1 Microsoft 16 Server, Windows, Windows 2008 and 13 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-50156 1 Microsoft 16 Server, Windows, Windows 2008 and 13 more 2026-02-13 5.7 Medium
Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
CVE-2025-53760 1 Microsoft 4 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 1 more 2026-02-13 7.1 High
Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.
CVE-2025-12575 1 Gitlab 1 Gitlab 2026-02-13 5.4 Medium
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services through the GitLab server.
CVE-2025-12073 1 Gitlab 1 Gitlab 2026-02-13 4.3 Medium
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.
CVE-2025-57707 2 Qnap, Qnap Systems 2 File Station, File Station 5 2026-02-12 8.8 High
An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later
CVE-2025-13096 1 Ibm 1 Business Automation Workflow 2026-02-12 7.1 High
IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVE-2025-15464 1 Yintibao 2 Fun Print, Fun Print Mobile 2026-02-12 7.5 High
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.
CVE-2025-70073 2 1000mz, Liweiyi 2 Chestnutcms, Chestnutcms 2026-02-12 7.2 High
An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function