Total
327000 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-21045 | 1 Samsung | 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more | 2026-01-09 | N/A | 4.0 MEDIUM |
| Insecure storage of sensitive information in Galaxy Watch prior to SMR Oct-2025 Release 1 allows local attackers to access sensitive information. | |||||
| CVE-2025-56232 | 1 Cdprojekt | 1 Gog Galaxy | 2026-01-09 | N/A | 6.8 MEDIUM |
| GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update requests and replace installer or update packages with malicious files. | |||||
| CVE-2025-63334 | 1 Magdesign | 2 Pocketvj Control Panel, Pocketvj Control Panel Firmware | 2026-01-09 | N/A | 9.8 CRITICAL |
| PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system. | |||||
| CVE-2025-60784 | 1 Xiaozhangbang | 1 Voluntary Like System | 2026-01-09 | N/A | 6.5 MEDIUM |
| A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts. | |||||
| CVE-2025-63585 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-01-09 | N/A | 6.5 MEDIUM |
| OSSN (Open Source Social Network) 8.6 is vulnerable to SQL Injection in /action/rtcomments/status via the timestamp parameter. | |||||
| CVE-2025-28953 | 1 Axiomthemes | 1 Smart Seo | 2026-01-09 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in axiomthemes smart SEO smartSEO allows SQL Injection.This issue affects smart SEO: from n/a through <= 4.0. | |||||
| CVE-2024-47356 | 1 Catchthemes | 1 Create | 2026-01-09 | N/A | 5.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Catch Themes Create allows Stored XSS.This issue affects Create: from n/a through 2.9.1. | |||||
| CVE-2026-22198 | 2026-01-09 | N/A | N/A | ||
| GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session. | |||||
| CVE-2026-22197 | 2026-01-09 | N/A | N/A | ||
| GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | |||||
| CVE-2026-22196 | 2026-01-09 | N/A | N/A | ||
| GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | |||||
| CVE-2026-22195 | 2026-01-09 | N/A | N/A | ||
| GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | |||||
| CVE-2026-22194 | 2026-01-09 | N/A | N/A | ||
| GestSup versions up to and including 3.2.56 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint. | |||||
| CVE-2025-70161 | 2026-01-09 | N/A | N/A | ||
| EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing arbitrary code execution. | |||||
| CVE-2025-69542 | 2026-01-09 | N/A | N/A | ||
| A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization. When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges. | |||||
| CVE-2025-69426 | 2026-01-09 | N/A | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. | |||||
| CVE-2025-69425 | 2026-01-09 | N/A | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | |||||
| CVE-2025-67281 | 2026-01-09 | N/A | 5.4 MEDIUM | ||
| In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. | |||||
| CVE-2025-67280 | 2026-01-09 | N/A | 5.4 MEDIUM | ||
| In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. | |||||
| CVE-2025-67279 | 2026-01-09 | N/A | 5.3 MEDIUM | ||
| An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format | |||||
| CVE-2025-67278 | 2026-01-09 | N/A | 6.5 MEDIUM | ||
| An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request | |||||