CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/01/27 11:35 a.m.•2 views

EUVD-2025-206407

A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes...

8.8CVSS6.4AI score0.00351EPSS

Vulnrichment•added 2026/01/27 11:35 a.m.•2 views

CVE-2025-41726 Beckhoff: Arbitrary code execution within privileged processes

8.8CVSS6.4AI score0.00351EPSS

ATTACKERKB•added 2026/01/27 11:35 a.m.•2 views

CVE-2025-41726

8.8CVSS6.4AI score0.00351EPSS

RedhatCVE•added 2026/01/24 3:17 a.m.•4 views

CVE-2026-0785

ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw...

8.8CVSS6.5AI score0.00767EPSS

EUVD•added 2026/01/24 2:2 a.m.•2 views

EUVD-2026-4257

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

5.3CVSS5.4AI score0.00021EPSS

Exploits1References2

OSV•added 2026/01/23 9:15 p.m.•1 views

CVE-2025-52022

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to publ...

5.3CVSS6AI score

Cvelist•added 2026/01/23 3:0 a.m.•26 views

CVE-2026-0785 ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability

7.5CVSS0.00767EPSS

ATTACKERKB•added 2026/01/23 12:0 a.m.•2 views

CVE-2025-52024

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services,...

9.4CVSS6AI score0.00054EPSS

Snyk•added 2026/01/22 10:50 p.m.•3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...

9.8CVSS5.6AI score0.0012EPSS

Exploits1References2

OSV•added 2026/01/22 6:2 p.m.•3 views

GHSA-4XC5-WFWC-JW47 Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Summary Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The...

7.4CVSS6.1AI score0.00019EPSS

Exploits1References4

EUVD•added 2026/01/22 2:59 p.m.•2 views

EUVD-2026-4135

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI key...

7.4CVSS5.6AI score0.00019EPSS

Exploits1References4

ATTACKERKB•added 2026/01/22 9:18 a.m.•3 views

CVE-2026-1332

MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information...

6.9CVSS5.4AI score0.00027EPSS

EUVD•added 2026/01/22 3:52 a.m.•3 views

EUVD-2026-4221

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

9.4CVSS5.9AI score0.00121EPSS

Positive Technologies•added 2026/01/22 12:0 a.m.•4 views

PT-2026-3925

6.9CVSS5.5AI score0.00027EPSS

CNNVD•added 2026/01/22 12:0 a.m.•1 views

HAMASTAR MeetingHub Access Control Vulnerability

HAMASTAR MeetingHub is a paperless conference system developed by HAMASTAR, a company from Taiwan, China. HAMASTAR MeetingHub has a security vulnerability related to access control, which stems from the lack of authentication. This vulnerability could allow unverified remote attackers to access...

6.9CVSS5.8AI score0.00027EPSS

Vulnrichment•added 2026/01/21 8:51 p.m.•2 views

CVE-2026-22598 ManageIQ vulnerable to DoS Attack when creating TimeProfiles

ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the...

7.1CVSS5.4AI score0.00203EPSS