Total
3368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-68949 | 1 N8n | 1 N8n | 2026-01-16 | N/A | 5.3 MEDIUM |
| n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. | |||||
| CVE-2026-20949 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2026-01-16 | N/A | 7.8 HIGH |
| Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | |||||
| CVE-2025-61973 | 2026-01-16 | N/A | 8.8 HIGH | ||
| A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | |||||
| CVE-2026-23496 | 2026-01-16 | N/A | 5.4 MEDIUM | ||
| Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | |||||
| CVE-2026-23495 | 2026-01-16 | N/A | 4.3 MEDIUM | ||
| Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | |||||
| CVE-2026-20929 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-01-16 | N/A | 7.5 HIGH |
| Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-69221 | 1 Librechat | 1 Librechat | 2026-01-15 | N/A | 4.3 MEDIUM |
| LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2. | |||||
| CVE-2025-69220 | 1 Librechat | 1 Librechat | 2026-01-15 | N/A | 7.1 HIGH |
| LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | |||||
| CVE-2026-0643 | 1 Projectworlds | 1 House Rental And Property Listing Project | 2026-01-15 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2026-22043 | 1 Rustfs | 1 Rustfs | 2026-01-15 | N/A | 9.8 CRITICAL |
| RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. | |||||
| CVE-2025-15262 | 1 Biggidroid | 1 Simple Php Cms | 2026-01-15 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-12201 | 1 Ajayrandhawa | 1 User-management-php-mysql | 2026-01-15 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was identified in ajayrandhawa User-Management-PHP-MYSQL up to fedcf58797bf2791591606f7b61fdad99ad8bff1. This affects an unknown part of the file /admin/edit-user.php of the component User Management Interface. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-63223 | 1 Axeltechnology | 2 Streamermax Mk Ii, Streamermax Mk Ii Firmware | 2026-01-15 | N/A | 9.8 CRITICAL |
| The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | |||||
| CVE-2026-20839 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-15 | N/A | 5.5 MEDIUM |
| Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-20843 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-15 | N/A | 7.8 HIGH |
| Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-20825 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 4.4 MEDIUM |
| Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-0547 | 1 Phpgurukul | 1 Online Course Registration | 2026-01-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-22605 | 1 Openproject | 1 Openproject | 2026-01-14 | N/A | 4.3 MEDIUM |
| OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3. | |||||
| CVE-2026-0386 | 1 Microsoft | 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more | 2026-01-14 | N/A | 7.5 HIGH |
| Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | |||||
| CVE-2023-35121 | 1 Intel | 16 Advisor, Cluster Checker, Distribution For Python and 13 more | 2026-01-14 | N/A | 7.8 HIGH |
| Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow authenticated user to potentially enable escalation of privilege via local access. | |||||