Total
240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-16873 | 2 Google, Microsoft | 2 Chrome, Xamarin.forms | 2026-02-23 | 6.8 MEDIUM | 4.7 MEDIUM |
| <p>A spoofing vulnerability manifests in Microsoft Xamarin.Forms due to the default settings on Android WebView version prior to 83.0.4103.106. This vulnerability could allow an attacker to execute arbitrary Javascript code on a target system.</p> <p>For the attack to be successful, the targeted user would need to browse to a malicious website or a website serving the malicious code through Xamarin.Forms.</p> <p>The security update addresses this vulnerability by preventing the malicious Javascript from running in the WebView.</p> | |||||
| CVE-2026-2617 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-02-19 | 5.8 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affects an unknown function of the component Telnet Service/SSH Service. The manipulation results in insecure default initialization of resource. The attack can only be performed from the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-70998 | 1 Utt | 2 810, 810 Firmware | 2026-02-19 | N/A | 9.8 CRITICAL |
| UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 was discovered to contain insecure default credentials for the telnet service, possibly allowing a remote attacker to gain root access via a crafted script. | |||||
| CVE-2023-4194 | 4 Debian, Fedoraproject, Linux and 1 more | 4 Debian Linux, Fedora, Linux Kernel and 1 more | 2026-02-18 | N/A | 5.5 MEDIUM |
| A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. | |||||
| CVE-2025-64781 | 1 Groupsession | 1 Groupsession | 2026-02-17 | N/A | 4.7 MEDIUM |
| In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. With this configuration, the user may be redirected to an arbitrary website when accessing a specially crafted URL. | |||||
| CVE-2026-25894 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | N/A | 9.8 CRITICAL |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10. | |||||
| CVE-2026-25499 | 1 Bpg | 1 Terraform Provider | 2026-02-11 | N/A | 7.5 HIGH |
| Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | |||||
| CVE-2025-69970 | 1 Frangoteam | 1 Fuxa | 2026-02-10 | N/A | 9.3 CRITICAL |
| FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. | |||||
| CVE-2026-1675 | 2026-02-09 | N/A | 5.3 MEDIUM | ||
| The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. | |||||
| CVE-2025-59097 | 2026-01-26 | N/A | N/A | ||
| The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | |||||
| CVE-2025-59090 | 2026-01-26 | N/A | N/A | ||
| On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards. | |||||
| CVE-2025-5591 | 1 Kentico | 1 Xperience | 2026-01-22 | N/A | 5.4 MEDIUM |
| Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | |||||
| CVE-2025-35021 | 1 Antek | 2 Abilis Cpx 2000, Abilis Cpx Firmware | 2026-01-13 | N/A | 6.5 MEDIUM |
| By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. | |||||
| CVE-2023-33949 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-09 | N/A | 5.3 MEDIUM |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. | |||||
| CVE-2024-30124 | 1 Hcltech | 1 Sametime | 2026-01-08 | N/A | 4.0 MEDIUM |
| HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by default using the HTTP protocol. An attacker could potentially use this service endpoint maliciously. | |||||
| CVE-2025-62877 | 2026-01-08 | N/A | 9.8 CRITICAL | ||
| Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. | |||||
| CVE-2025-56332 | 1 Pangolin | 1 Pangolin | 2026-01-07 | N/A | 9.1 CRITICAL |
| Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration | |||||
| CVE-2025-66482 | 1 Misskey | 1 Misskey | 2026-01-06 | N/A | 6.5 MEDIUM |
| Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file. | |||||
| CVE-2025-64135 | 1 Jenkins | 1 Eggplant Runner | 2025-12-22 | N/A | 5.9 MEDIUM |
| Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value, disabling a protection mechanism of the Java runtime. | |||||
| CVE-2025-43797 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-16 | N/A | 5.4 MEDIUM |
| In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site. | |||||