CVE & Exploit Intelligence Database

CVE-2025-59785 7.2 HIGH EPSS 0.00

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges.

CWE-1286 Mar 04, 2026

CVE-2025-13327 6.3 MEDIUM EPSS 0.00

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.

CWE-1286 Feb 27, 2026

CVE-2026-21527 6.5 MEDIUM EPSS 0.00

User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CWE-451 Feb 10, 2026

CVE-2026-25513 8.8 HIGH 1 Writeup EPSS 0.00

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.

CWE-20 Feb 04, 2026

CVE-2026-0663 4.9 MEDIUM EPSS 0.00

Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.

CWE-1286 Jan 21, 2026

CVE-2026-21917 7.5 HIGH EPSS 0.00

An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5,  * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available.

CWE-1286 Jan 15, 2026

CVE-2025-67492 5.3 MEDIUM EPSS 0.00

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

CWE-1286 Dec 16, 2025

CVE-2025-13033 7.5 HIGH EPSS 0.00

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

CWE-1286 Nov 14, 2025

CVE-2025-41719 8.8 HIGH EPSS 0.00

A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.

CWE-1286 Oct 22, 2025

CVE-2025-55085 7.5 HIGH EPSS 0.00

In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.

CWE-1286 Oct 17, 2025

CVE-2025-11573 7.5 HIGH EPSS 0.00

An infinite loop issue in Amazon.IonDotnet library versions <v1.3.2 may allow a threat actor to cause a denial of service through a specially crafted text input. To mitigate this issue, users should upgrade to version v1.3.2. As of August 20, 2025, this library has been deprecated and will not receive further updates.

CWE-1286 Oct 09, 2025

CVE-2025-36262 4.9 MEDIUM EPSS 0.00

IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information due to the improper validation of input.

CWE-1286 Sep 30, 2025

CVE-2025-10954 5.3 MEDIUM 1 Writeup EPSS 0.00

Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range".

CWE-1286 Sep 27, 2025

CVE-2025-54995 6.5 MEDIUM 1 Writeup EPSS 0.01

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

CWE-1286 Aug 28, 2025

CVE-2025-25007 5.3 MEDIUM EPSS 0.00

Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CWE-1286 Aug 12, 2025

CVE-2024-51983 7.5 HIGH 1 Writeup EPSS 0.01

An unauthenticated attacker who can connect to the Web Services feature (HTTP TCP port 80) can issue a WS-Scan SOAP request containing an unexpected JobToken value which will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device.

CWE-1286 Jun 25, 2025

CVE-2024-51982 7.5 HIGH 1 Writeup EPSS 0.01

An unauthenticated attacker who can connect to TCP port 9100 can issue a Printer Job Language (PJL) command that will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device. A malformed PJL variable FORMLINES is set to a non number value causing the target to crash.

CWE-1286 Jun 25, 2025

CVE-2025-30415 7.5 HIGH EPSS 0.00

Denial of service due to improper handling of malformed input. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40077, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.

CWE-1286 Jun 04, 2025

CVE-2025-43878 6.0 MEDIUM EPSS 0.00

When running in Appliance mode, an authenticated attacker assigned the Administrator or Resource Administrator role may be able to bypass Appliance mode restrictions utilizing system diagnostics tcpdump command utility on a F5OS-C/A system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE-1286 May 07, 2025

CVE-2025-24348 5.4 MEDIUM EPSS 0.00

A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request.

CWE-1286 Apr 30, 2025