Total
178 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15556 | 1 Notepad-plus-plus | 1 Notepad\+\+ | 2026-02-13 | N/A | 7.5 HIGH |
| Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. | |||||
| CVE-2025-15575 | 2026-02-12 | N/A | 5.3 MEDIUM | ||
| The firmware update functionality does not verify the authenticity of the supplied firmware update files. This allows attackers to flash malicious firmware update files on the device. Initial analysis of the firmware update functionality does not show any cryptographic checks (e.g. digital signature checks) on the supplied firmware update files. Furthermore, ESP32 security features such as secure boot are not used. | |||||
| CVE-2026-20056 | 2026-02-05 | N/A | 4.0 MEDIUM | ||
| A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass the anti-malware scanner, allowing malicious archive files to be downloaded. This vulnerability is due to improper handling of certain archive files. An attacker could exploit this vulnerability by sending a crafted archive file, which should be blocked, through an affected device. A successful exploit could allow the attacker to bypass the anti-malware scanner and download malware onto an end user workstation. The downloaded malware will not automatically execute unless the end user extracts and launches the malicious file. | |||||
| CVE-2025-14265 | 1 Connectwise | 1 Screenconnect | 2026-01-16 | N/A | 9.1 CRITICAL |
| In versions of ScreenConnectâ„¢ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed. | |||||
| CVE-2025-63215 | 1 Sound4 | 2 Impact, Impact Firmware | 2026-01-15 | N/A | 7.2 HIGH |
| The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | |||||
| CVE-2025-69263 | 1 Pnpm | 1 Pnpm | 2026-01-12 | N/A | 7.5 HIGH |
| pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. | |||||
| CVE-2025-63220 | 1 Sound4 | 2 First, First Firmware | 2026-01-08 | N/A | 7.2 HIGH |
| The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | |||||
| CVE-2025-65855 | 1 Netun | 2 Helpflash Iot, Helpflash Iot Firmware | 2026-01-06 | N/A | 6.6 MEDIUM |
| The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | |||||
| CVE-2025-55310 | 3 Apple, Foxit, Microsoft | 4 Macos, Pdf Editor, Pdf Reader and 1 more | 2025-12-18 | N/A | 7.3 HIGH |
| An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. An attacker able to alter or replace the static HTML files used by the StartPage feature can cause the application to load malicious or compromised content upon startup. This may result in information disclosure, unauthorized data access, or other security impacts. | |||||
| CVE-2025-68109 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 9.1 CRITICAL |
| ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | |||||
| CVE-2025-40604 | 1 Sonicwall | 10 Email Security Appliance 5000, Email Security Appliance 5000 Firmware, Email Security Appliance 5050 and 7 more | 2025-12-12 | N/A | 9.8 CRITICAL |
| Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution. | |||||
| CVE-2025-66331 | 1 Huawei | 1 Harmonyos | 2025-12-08 | N/A | 3.3 LOW |
| Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-66332 | 1 Huawei | 1 Harmonyos | 2025-12-08 | N/A | 3.3 LOW |
| Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-66333 | 1 Huawei | 1 Harmonyos | 2025-12-08 | N/A | 3.3 LOW |
| Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-66334 | 1 Huawei | 1 Harmonyos | 2025-12-08 | N/A | 3.3 LOW |
| Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-61228 | 1 Shirt-pocket | 1 Superduper\! | 2025-12-05 | N/A | 7.8 HIGH |
| An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism | |||||
| CVE-2025-63434 | 1 Xtooltech | 1 Xtool Anyscan | 2025-11-28 | N/A | 8.8 HIGH |
| The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | |||||
| CVE-2023-45842 | 1 Buildroot | 1 Buildroot | 2025-11-04 | N/A | 8.1 HIGH |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `mxsldr` package. | |||||
| CVE-2023-45841 | 1 Buildroot | 1 Buildroot | 2025-11-04 | N/A | 8.1 HIGH |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `versal-firmware` package. | |||||
| CVE-2023-45840 | 1 Buildroot | 1 Buildroot | 2025-11-04 | N/A | 8.1 HIGH |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `riscv64-elf-toolchain` package. | |||||