Total
331311 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25237 | 1 Pear | 1 Pearweb | 2026-02-04 | N/A |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. | ||||
| CVE-2025-29867 | 1 Hancom | 4 Hancom Office 2018, Hancom Office 2020, Hancom Office 2022 and 1 more | 2026-02-04 | N/A |
| Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Hancom Inc. Hancom Office 2018, Hancom Inc. Hancom Office 2020, Hancom Inc. Hancom Office 2022, Hancom Inc. Hancom Office 2024 allows File Content Injection.This issue affects Hancom Office 2018: before 10.0.0.12681; Hancom Office 2020: before 11.0.0.8916; Hancom Office 2022: before 12.0.0.4426; Hancom Office 2024: before 13.0.0.3050. | ||||
| CVE-2026-1791 | 1 Hillstone Networks | 1 Operation And Maintenance Security Gateway | 2026-02-04 | 2.7 Low |
| Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server.This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. | ||||
| CVE-2025-60785 | 2 Icescrum, Kagilum | 2 Icescrum, Icescrum | 2026-02-04 | 8.8 High |
| A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. | ||||
| CVE-2026-1835 | 1 Lcg0124 | 1 Bootdo | 2026-02-04 | 4.3 Medium |
| A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | ||||
| CVE-2025-63441 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-02-04 | 7.3 High |
| Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends. | ||||
| CVE-2026-1633 | 1 Synectix | 1 Lan 232 Trio | 2026-02-04 | 10 Critical |
| The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. | ||||
| CVE-2026-1632 | 1 Riss Srl | 1 Moma Seismic Station | 2026-02-04 | 9.1 Critical |
| MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | ||||
| CVE-2026-25027 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.7.1. | ||||
| CVE-2025-71179 | 1 Creativeitem | 1 Academy Lms | 2026-02-04 | 6.1 Medium |
| Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint. | ||||
| CVE-2025-70841 | 1 Dokans | 1 Multitenancy Based Ecommerce Platform Saas | 2026-02-04 | 10 Critical |
| Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | ||||
| CVE-2025-60013 | 1 F5 | 2 F5os, F5os-a | 2026-02-04 | 4.6 Medium |
| When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, arbitrary system commands may be executed, and the FIPS hardware security module (HSM) may fail to initialize. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-32023 | 1 Redis | 1 Redis | 2026-02-04 | 7 High |
| Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands. | ||||
| CVE-2025-24514 | 1 Kubernetes | 1 Ingress-nginx | 2026-02-04 | 8.8 High |
| A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | ||||
| CVE-2025-1098 | 1 Kubernetes | 1 Ingress-nginx | 2026-02-04 | 8.8 High |
| A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | ||||
| CVE-2025-1097 | 1 Kubernetes | 1 Ingress-nginx | 2026-02-04 | 8.8 High |
| A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | ||||
| CVE-2024-37301 | 1 Adfinis | 1 Document Merge Service | 2026-02-04 | 7.2 High |
| Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed. | ||||
| CVE-2025-63294 | 1 Workdo | 2 Hrm Saas, Hrm Saas Hr And Payroll Tool | 2026-02-04 | 6.5 Medium |
| WorkDo HRM SaaS HR and Payroll Tool 8.1 is affected vulnerable to Insecure Permissions. An authenticated user can create leave or resignation records on behalf of other users. | ||||
| CVE-2020-37092 | 1 Netis-systems | 1 Netis E1+ | 2026-02-04 | 7.5 High |
| Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. | ||||
| CVE-2020-37091 | 1 Maian | 2 Support, Support Helpdesk | 2026-02-04 | 5.3 Medium |
| Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. | ||||