Total
4385 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-21694 | 1 Kromit | 1 Titra | 2026-01-08 | 6.8 Medium |
| Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50. | ||||
| CVE-2025-56558 | 1 Dyson | 1 App | 2026-01-08 | 3 Low |
| The Dyson MQTT server (2022 and possibly later) allows publications and subscriptions by a client that has the correct values of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and device serial number, even if a device (such as a Pure Hot+Cool device) has been removed and is not visible in the supported MyDyson app. This could allow an unexpected actor to obtain control and set the room temperature (up to 37 Celsius) if ownership of the device is transferred without wiping the device. NOTE: the Supplier's position is that this is "a potential vulnerability that dates back 4 years ago in 2022 and we are unable to replicate that anymore." | ||||
| CVE-2026-21635 | 1 Ubiquiti | 1 Ev Station Lite | 2026-01-08 | 5.3 Medium |
| An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet. | ||||
| CVE-2026-21447 | 1 Webkul | 1 Bagisto | 2026-01-08 | 7.1 High |
| Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | ||||
| CVE-2025-15448 | 2026-01-08 | 6.3 Medium | ||
| A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-0566 | 1 Code-projects | 1 Content Management System | 2026-01-08 | 4.7 Medium |
| A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-0577 | 1 Code-projects | 1 Online Product Reservation System | 2026-01-08 | 6.3 Medium |
| A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-0980 | 2 Linux, Nokia | 2 Linux, Service Router Linux | 2026-01-08 | 6.4 Medium |
| Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. | ||||
| CVE-2026-0643 | 1 Projectworlds | 1 House Rental And Property Listing Project | 2026-01-08 | 7.3 High |
| A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2025-69221 | 1 Librechat | 1 Librechat | 2026-01-08 | 4.3 Medium |
| LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2. | ||||
| CVE-2025-69220 | 1 Librechat | 1 Librechat | 2026-01-08 | 7.1 High |
| LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | ||||
| CVE-2026-22043 | 2026-01-08 | N/A | ||
| RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. | ||||
| CVE-2025-15415 | 1 Xnx3 | 1 Wangmarket | 2026-01-08 | 4.7 Medium |
| A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62570 | 1 Microsoft | 5 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 2 more | 2026-01-07 | 7.1 High |
| Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-62474 | 1 Microsoft | 22 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 19 more | 2026-01-07 | 7.8 High |
| Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59517 | 1 Microsoft | 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more | 2026-01-07 | 7.8 High |
| Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-64669 | 1 Microsoft | 1 Windows Admin Center | 2026-01-07 | 7.8 High |
| Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-64673 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-01-07 | 7.8 High |
| Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2022-32872 | 1 Apple | 2 Ipados, Iphone Os | 2026-01-07 | 2.4 Low |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen. | ||||
| CVE-2025-15423 | 2 Empiresoft, Phome | 2 Empirecms, Empirecms | 2026-01-07 | 6.3 Medium |
| A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||