Search
Search Results (331873 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66005 | 1 Shadowblip | 1 Inputplumber | 2026-01-15 | N/A |
| Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. | ||||
| CVE-2025-13175 | 1 Ysoft | 1 Safeq | 2026-01-15 | N/A |
| Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. | ||||
| CVE-2025-14338 | 1 Shadowblip | 1 Inputplumber | 2026-01-15 | N/A |
| Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | ||||
| CVE-2025-67399 | 1 Airth | 1 Smart Home Aqi Monitor Bootloader | 2026-01-15 | 4.6 Medium |
| An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | ||||
| CVE-2025-14317 | 1 Emaintenance | 1 Crazy Bubble Tea | 2026-01-15 | N/A |
| In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). | ||||
| CVE-2025-66370 | 1 Kivitendo | 1 Kivitendo | 2026-01-15 | 5 Medium |
| Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem. | ||||
| CVE-2025-66516 | 1 Apache | 1 Tika | 2026-01-15 | 8.4 High |
| Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. | ||||
| CVE-2026-21287 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-01-15 | 7.8 High |
| Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-23582 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23581 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23580 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23579 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23578 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23577 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23576 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23575 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2026-23574 | 2026-01-15 | N/A | ||
| Not used | ||||
| CVE-2025-48371 | 1 Openfga | 2 Helm Charts, Openfga | 2026-01-15 | 8.8 High |
| OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible. | ||||
| CVE-2025-66877 | 1 Libming | 1 Libming | 2026-01-15 | 7.5 High |
| Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8. | ||||
| CVE-2025-66869 | 1 Libming | 1 Libming | 2026-01-15 | 7.5 High |
| Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8. | ||||