CVEs
Browse and track CVEs by technology, product and vulnerability type. Find the latest vulnerabilities for WordPress, NGINX, APIs and more.
Latest
- CVE-2026-3588 Published Mar 9, 2026
A server-side request forgery (SSRF) vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request.
- CVE-2026-25866 Published Mar 9, 2026
MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.
- CVE-2025-70060 Published Mar 9, 2026
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
- CVE-2025-70050 Published Mar 9, 2026
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
- CVE-2025-70048 Published Mar 9, 2026
An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
- CVE-2025-70047 Published Mar 9, 2026
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
- CVE-2025-70046 Published Mar 9, 2026
An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
- CVE-2025-70042 Published Mar 9, 2026
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
- CVE-2025-70040 Published Mar 9, 2026
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
- CVE-2024-14027 Published Mar 9, 2026
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").
A server-side request forgery (SSRF) vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request.
high 7.5
MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.
high 8.5
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").