Total
4447 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-31125 | 1 Vitejs | 1 Vite | 2026-01-23 | 5.3 Medium |
| Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. | ||||
| CVE-2026-21962 | 1 Oracle | 1 Http Server Oracle Weblogic Server Proxy Plug-in | 2026-01-23 | 10 Critical |
| Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | ||||
| CVE-2026-24304 | 1 Microsoft | 1 Azure Resource Manager | 2026-01-23 | 9.9 Critical |
| Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-24306 | 1 Microsoft | 1 Azure Front Door | 2026-01-23 | 9.8 Critical |
| Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-20949 | 1 Microsoft | 6 365 Apps, Office 2021, Office 2024 and 3 more | 2026-01-23 | 7.8 High |
| Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2026-20929 | 1 Microsoft | 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more | 2026-01-23 | 7.5 High |
| Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-20843 | 1 Microsoft | 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more | 2026-01-23 | 7.8 High |
| Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-20839 | 1 Microsoft | 22 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 19 more | 2026-01-23 | 5.5 Medium |
| Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-20825 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-01-23 | 4.4 Medium |
| Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-0386 | 1 Microsoft | 11 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 8 more | 2026-01-23 | 7.5 High |
| Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | ||||
| CVE-2026-20912 | 2026-01-22 | N/A | ||
| Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | ||||
| CVE-2026-20904 | 2026-01-22 | N/A | ||
| Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | ||||
| CVE-2026-20897 | 2026-01-22 | N/A | ||
| Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | ||||
| CVE-2026-20888 | 2026-01-22 | N/A | ||
| Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | ||||
| CVE-2026-20883 | 2026-01-22 | N/A | ||
| Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | ||||
| CVE-2026-20750 | 2026-01-22 | N/A | ||
| Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | ||||
| CVE-2026-20736 | 2026-01-22 | N/A | ||
| Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | ||||
| CVE-2026-0798 | 2026-01-22 | N/A | ||
| Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | ||||
| CVE-2025-15495 | 1 Biggidroid | 1 Simple Php Cms | 2026-01-22 | 4.7 Medium |
| A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63387 | 1 Langgenius | 1 Dify | 2026-01-22 | 7.5 High |
| Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed. | ||||