Export limit exceeded: 351659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (6341 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68934 | 1 Discourse | 1 Discourse | 2026-01-30 | 6.5 Medium |
| Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path. | ||||
| CVE-2025-68659 | 1 Discourse | 1 Discourse | 2026-01-30 | 4.3 Medium |
| Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | ||||
| CVE-2025-59464 | 1 Nodejs | 2 Node.js, Nodejs | 2026-01-30 | 7.5 High |
| A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. | ||||
| CVE-2025-59466 | 1 Nodejs | 2 Node.js, Nodejs | 2026-01-30 | 7.5 High |
| We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | ||||
| CVE-2024-50388 | 1 Qnap | 2 Hbs 3, Hybrid Backup Sync | 2026-01-30 | 9.8 Critical |
| An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later | ||||
| CVE-2025-13751 | 2 Microsoft, Openvpn | 2 Windows, Openvpn | 2026-01-30 | 5.5 Medium |
| Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | ||||
| CVE-2025-61492 | 1 Gongrzhe | 1 Terminal-controller-mcp | 2026-01-30 | 10 Critical |
| A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2021-47791 | 1 Smartftp | 1 Smartftp | 2026-01-30 | 7.5 High |
| SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | ||||
| CVE-2025-6775 | 1 Xiaoyunjie | 1 Openvpn-cms-flask | 2026-01-30 | 6.3 Medium |
| A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | ||||
| CVE-2025-27795 | 1 Graphicsmagick | 1 Graphicsmagick | 2026-01-29 | 4.3 Medium |
| ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits. | ||||
| CVE-2025-1946 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.3 Medium |
| A vulnerability was found in hzmanyun Education and Training System 2.1. It has been rated as critical. Affected by this issue is the function exportPDF of the file /user/exportPDF. The manipulation of the argument id leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-1947 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.3 Medium |
| A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-58187 | 1 Golang | 2 Crypto, Go | 2026-01-29 | 7.5 High |
| Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | ||||
| CVE-2025-61723 | 1 Golang | 2 Encoding, Go | 2026-01-29 | 7.5 High |
| The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | ||||
| CVE-2025-61724 | 1 Golang | 2 Go, Net | 2026-01-29 | 5.3 Medium |
| The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | ||||
| CVE-2025-1676 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.3 Medium |
| A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-61489 | 1 Sonirico | 1 Mcp-shell | 2026-01-29 | 6.5 Medium |
| A command injection vulnerability in the shell_exec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string. | ||||
| CVE-2016-15057 | 1 Apache | 1 Continuum | 2026-01-27 | 9.9 Critical |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-58578 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | 3.8 Low |
| A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation. | ||||
| CVE-2025-58582 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | 5.3 Medium |
| If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it’s possible to send giant payloads which are then logged. | ||||