Latest CVE Feed
-
6.9
MEDIUMCVE-2026-22543
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2025-6225
Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in versi... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2025-34171
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path... Read more
Affected Products :- Published: Jan. 02, 2026
- Modified: Jan. 08, 2026
-
6.9
MEDIUMCVE-2025-59102
The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs ... Read more
Affected Products :- Published: Jan. 26, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Information Disclosure
-
6.9
MEDIUMCVE-2025-66002
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2026-22188
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled a... Read more
Affected Products : panda3d- Published: Jan. 07, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Denial of Service
-
6.9
MEDIUMCVE-2019-25290
Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewal... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Server-Side Request Forgery
-
6.9
MEDIUMCVE-2021-47899
YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Server-Side Request Forgery
-
6.9
MEDIUMCVE-2025-15115
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can ... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2025-66051
Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration ... Read more
- Published: Jan. 09, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Path Traversal
-
6.9
MEDIUMCVE-2025-3654
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure
-
6.9
MEDIUMCVE-2025-3660
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pe... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
6.9
MEDIUMCVE-2025-66023
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is tr... Read more
Affected Products :- Published: Jan. 01, 2026
- Modified: Jan. 02, 2026
- Vuln Type: Memory Corruption
-
6.9
MEDIUMCVE-2025-3652
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send ... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure
-
6.8
MEDIUMCVE-2025-13056
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects I... Read more
Affected Products :- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.8
MEDIUMCVE-2025-68437
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability aris... Read more
Affected Products : craft_cms- Published: Jan. 05, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Server-Side Request Forgery
-
6.8
MEDIUMCVE-2025-59095
The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined wit... Read more
Affected Products :- Published: Jan. 26, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cryptography
-
6.8
MEDIUMCVE-2025-68656
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the ... Read more
Affected Products : usb_host_hid_driver- Published: Jan. 12, 2026
- Modified: Jan. 22, 2026
- Vuln Type: Memory Corruption
-
6.8
MEDIUMCVE-2025-65731
An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface wit... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2025-12513
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring... Read more
Affected Products :- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting