Total
3562 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-69634 | 2026-02-14 | N/A | 9.0 CRITICAL | ||
| Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user. | |||||
| CVE-2024-51954 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-13 | N/A | 8.5 HIGH |
| There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software. | |||||
| CVE-2025-68721 | 1 Axigen | 1 Axigen Mail Server | 2026-02-13 | N/A | 8.1 HIGH |
| Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. | |||||
| CVE-2026-20638 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-13 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions. | |||||
| CVE-2025-67645 | 1 Open-emr | 1 Openemr | 2026-02-12 | N/A | 8.8 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. | |||||
| CVE-2026-24300 | 1 Microsoft | 1 Azure Front Door | 2026-02-12 | N/A | 9.8 CRITICAL |
| Azure Front Door Elevation of Privilege Vulnerability | |||||
| CVE-2026-24302 | 1 Microsoft | 1 Azure Arc | 2026-02-12 | N/A | 8.6 HIGH |
| Azure Arc Elevation of Privilege Vulnerability | |||||
| CVE-2025-70997 | 1 Eladmin | 1 Eladmin | 2026-02-12 | N/A | 6.5 MEDIUM |
| A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | |||||
| CVE-2026-1964 | 1 Wekan Project | 1 Wekan | 2026-02-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component. | |||||
| CVE-2026-1962 | 1 Wekan Project | 1 Wekan | 2026-02-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. | |||||
| CVE-2026-24304 | 1 Microsoft | 1 Azure Resource Manager | 2026-02-12 | N/A | 9.9 CRITICAL |
| Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-2250 | 2026-02-12 | N/A | 7.5 HIGH | ||
| The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration. | |||||
| CVE-2025-70982 | 1 Bladex | 1 Springblade | 2026-02-12 | N/A | 9.9 CRITICAL |
| Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | |||||
| CVE-2026-23856 | 2026-02-12 | N/A | 7.8 HIGH | ||
| Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | |||||
| CVE-2026-21238 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-02-11 | N/A | 7.8 HIGH |
| Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-21255 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-02-11 | N/A | 8.8 HIGH |
| Improper access control in Windows Hyper-V allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2025-69908 | 1 Newgensoft | 1 Omniapp | 2026-02-11 | N/A | 7.5 HIGH |
| An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. | |||||
| CVE-2025-70983 | 1 Bladex | 1 Springblade | 2026-02-11 | N/A | 9.9 CRITICAL |
| Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | |||||
| CVE-2026-2205 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised. | |||||
| CVE-2026-2206 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component. | |||||