Total
102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47504 | 1 Juniper | 4 Junos, Srx5400, Srx5600 and 1 more | 2026-01-26 | N/A | 7.5 HIGH |
| An Improper Validation of Specified Type of Input vulnerability in the packet forwarding engine (pfe) Juniper Networks Junos OS on SRX5000 Series allows an unauthenticated, network based attacker to cause a Denial of Service (Dos). When a non-clustered SRX5000 device receives a specifically malformed packet this will cause a flowd crash and restart. This issue affects Junos OS: * 22.1 releases 22.1R1 and later before 22.2R3-S5, * 22.3 releases before 22.3R3-S4, * 22.4 releases before 22.4R3-S4, * 23.2 releases before 23.2R2-S2, * 23.4 releases before 23.4R2-S1, * 24.2 releases before 24.2R1-S1, 24.2R2. Please note that the PR does indicate that earlier versions have been fixed as well, but these won't be adversely impacted by this. | |||||
| CVE-2026-24307 | 2026-01-26 | N/A | 9.3 CRITICAL | ||
| Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-6298 | 1 Axis | 1 Axis Os | 2026-01-21 | N/A | 6.7 MEDIUM |
| ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2024-47261 | 1 Axis | 3 Axis Os, Axis Os 2022, Axis Os 2024 | 2026-01-14 | N/A | 4.3 MEDIUM |
| 51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device. | |||||
| CVE-2025-30027 | 1 Axis | 1 Axis Os | 2026-01-13 | N/A | 6.7 MEDIUM |
| An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2025-53627 | 2025-12-31 | N/A | 5.3 MEDIUM | ||
| Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. | |||||
| CVE-2025-13352 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 3.0 LOW |
| Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | |||||
| CVE-2025-12689 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 6.5 MEDIUM |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | |||||
| CVE-2024-2105 | 2025-12-12 | N/A | 6.5 MEDIUM | ||
| An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. | |||||
| CVE-2025-32901 | 2025-12-08 | N/A | 4.3 MEDIUM | ||
| In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | |||||
| CVE-2025-20756 | 1 Mediatek | 38 Mt2735, Mt6833, Mt6833p and 35 more | 2025-12-03 | N/A | 5.3 MEDIUM |
| In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643. | |||||
| CVE-2024-48858 | 1 Blackberry | 1 Qnx Software Development Platform | 2025-12-01 | N/A | 7.5 HIGH |
| Improper input validation in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec. | |||||
| CVE-2024-35213 | 1 Blackberry | 1 Qnx Software Development Platform | 2025-12-01 | N/A | 9.0 CRITICAL |
| An improper input validation vulnerability in the SGI Image Codec of QNX SDP version(s) 6.6, 7.0, and 7.1 could allow an attacker to potentially cause a denial-of-service condition or execute code in the context of the image processing process. | |||||
| CVE-2025-60633 | 1 Free5gc | 1 Free5gc | 2025-12-01 | N/A | 6.5 MEDIUM |
| An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. | |||||
| CVE-2025-12977 | 1 Treasuredata | 1 Fluent Bit | 2025-11-28 | N/A | 9.1 CRITICAL |
| Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing. | |||||
| CVE-2025-41729 | 2025-11-25 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | |||||
| CVE-2025-4645 | 1 Axis | 233 A1210 \(-b\), A1214, A1601 and 230 more | 2025-11-24 | N/A | 6.7 MEDIUM |
| An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2025-8108 | 1 Axis | 233 A1210 \(-b\), A1214, A1601 and 230 more | 2025-11-24 | N/A | 6.7 MEDIUM |
| An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2025-9524 | 2025-11-12 | N/A | 4.3 MEDIUM | ||
| The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account. | |||||
| CVE-2025-58729 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2025-11-07 | N/A | 6.5 MEDIUM |
| Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | |||||