Total
400 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22030 | 2026-01-10 | N/A | 6.5 MEDIUM | ||
| React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. | |||||
| CVE-2025-67825 | 2026-01-09 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. | |||||
| CVE-2026-20893 | 2026-01-08 | N/A | 7.8 HIGH | ||
| Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | |||||
| CVE-2025-69260 | 2026-01-08 | N/A | 7.5 HIGH | ||
| A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. | |||||
| CVE-2025-69258 | 2026-01-08 | N/A | 9.8 CRITICAL | ||
| A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations. | |||||
| CVE-2025-69259 | 2026-01-08 | N/A | 7.5 HIGH | ||
| A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. | |||||
| CVE-2025-7365 | 1 Redhat | 1 Keycloak | 2026-01-08 | N/A | 7.1 HIGH |
| A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. | |||||
| CVE-2025-13947 | 2026-01-07 | N/A | 7.4 HIGH | ||
| A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser. | |||||
| CVE-2025-69235 | 2025-12-31 | N/A | 7.5 HIGH | ||
| Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. | |||||
| CVE-2025-63386 | 1 Langgenius | 1 Dify | 2025-12-30 | N/A | 9.1 CRITICAL |
| A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. | |||||
| CVE-2025-63388 | 1 Langgenius | 1 Dify | 2025-12-30 | N/A | 9.1 CRITICAL |
| A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. | |||||
| CVE-2025-61740 | 2025-12-23 | N/A | N/A | ||
| Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device. | |||||
| CVE-2023-23601 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-12-18 | N/A | 6.5 MEDIUM |
| Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7. | |||||
| CVE-2025-62250 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-12 | N/A | 6.5 MEDIUM |
| Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions that will treat it as trusted data via unauthenticated cluster messages. | |||||
| CVE-2025-37734 | 1 Elastic | 1 Kibana | 2025-12-11 | N/A | 4.3 MEDIUM |
| Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | |||||
| CVE-2024-32764 | 1 Qnap | 1 Myqnapcloud Link | 2025-12-10 | N/A | 9.9 CRITICAL |
| A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later | |||||
| CVE-2025-14331 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-12-10 | N/A | 6.5 MEDIUM |
| Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | |||||
| CVE-2025-34291 | 2025-12-08 | N/A | N/A | ||
| Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise. | |||||
| CVE-2024-32642 | 1 Masacms | 1 Masacms | 2025-12-05 | N/A | 8.8 HIGH |
| Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | |||||
| CVE-2025-8074 | 2025-12-04 | N/A | 5.6 MEDIUM | ||
| Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | |||||