Search Results (14138 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-63551 1 Metinfo 2 Content Management System, Metinfo 2026-02-04 7.5 High
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
CVE-2025-60785 2 Icescrum, Kagilum 2 Icescrum, Icescrum 2026-02-04 8.8 High
A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page.
CVE-2025-10875 1 Salesforce 2 Mulesoft, Mulesoft Anypoint Code Builder 2026-02-04 6.5 Medium
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.
CVE-2025-64318 1 Salesforce 2 Mulesoft, Mulesoft Anypoint Code Builder 2026-02-04 5.3 Medium
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.
CVE-2025-64320 1 Salesforce 2 Agentforce Vibes, Agentforce Vibes Extension 2026-02-04 6.5 Medium
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.
CVE-2025-64321 1 Salesforce 2 Agentforce Vibes, Agentforce Vibes Extension 2026-02-04 5.3 Medium
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.
CVE-2021-39935 1 Gitlab 1 Gitlab 2026-02-04 6.8 Medium
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
CVE-2025-10370 1 Sourcefabric 2 Phoniebox, Rpi-jukebox-rfid 2026-02-03 3.5 Low
A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-58441 2 Eng, Knowage-suite 2 Knowage, Knowage 2026-02-03 6.5 Medium
Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37.
CVE-2025-56589 1 Apryse 2 Html2pdf, Html2pdf Sdk 2026-02-02 7.5 High
A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.
CVE-2025-69564 2 Code-projects, Fabian 2 Mobile Shop Management System, Mobile Shop Management System 2026-02-02 9.8 Critical
code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters.
CVE-2025-20912 1 Samsung 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more 2026-02-02 6.2 Medium
Incorrect default permission in DiagMonAgent prior to SMR Mar-2025 Release 1 allows local attackers to access data within Galaxy Watch.
CVE-2018-17207 1 Awesomemotive 1 Duplicator 2026-02-02 9.8 Critical
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
CVE-2025-41376 1 Limesurvey 1 Limesurvey 2026-01-30 5.3 Medium
CRLF Injection vulnerability in Limesurvey v2.65.1+170522.  This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid/<SID>/token/fwyfw%0d%0aCookie:%20POC'.
CVE-2024-55931 1 Xerox 1 Workplace Suite 2026-01-30 6.5 Medium
Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.  The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.
CVE-2024-42756 1 Netgear 3 Dgn1000 Firmware, Dgn1000ww, Dgn1000ww Firmware 2026-01-30 8.8 High
An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page
CVE-2025-68662 1 Discourse 1 Discourse 2026-01-30 7.6 High
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
CVE-2025-55423 1 Iptime 326 A1, A1004, A1004 Firmware and 323 more 2026-01-30 9.8 Critical
A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.
CVE-2025-13086 1 Openvpn 1 Openvpn 2026-01-30 7.5 High
Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client
CVE-2025-64709 1 Typebot 1 Typebot 2026-01-30 9.6 Critical
Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue.