CVEs

Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 325199 CVEs are indexed from NVD.

Search

Vulnerability Watch ›

  • CVE-2025-14733
    criticalVulnerability of Interest

    This RCE flaw affecting WatchGuard Firebox can be exploited in certain configurations. Exploitation has been observed and immediate patching is recommended.

  • CVE-2025-40602
    mediumVulnerability of Interest

    SonicWall SMA1000 appliances are affected by a privilege escalation flaw (CVE-2025-40602). When chained with CVE-2025-23006, code execution is possible. Exploitation has begun

  • CVE-2025-20393
    criticalVulnerability of Interest

    A Cisco Secure Email Gateway And Cisco Secure Email and Web Manager command injection flaw can be exploited in certain configurations, limited exploitation has been observed.

  • CVE-2025-59719
    criticalVulnerability of Interest

    Exploitation has been observed for this authentication bypass flaw. Immediate patching is recommended and access to the management interface should be restricted.

  • CVE-2025-59718
    criticalVulnerability of Interest

    Exploitation has been observed for this authentication bypass flaw. Immediate patching is recommended and access to the management interface should be restricted.

  • CVE-2025-23006
    criticalVulnerability of Interest

    SonicWall SMA1000 appliances are affected by a privilege escalation flaw (CVE-2025-40602). When chained with CVE-2025-23006, code execution is possible. Exploitation has begun

  • CVE-2025-68613
    criticalVulnerability Being Monitored

    Code execution is possible in some conditions. Immediate updating of the n8n automation platform is recommended.

  • CVE-2025-14847
    highVulnerability Being Monitored

    This critical severity RCE affecting MongoDB should be patched as soon as possible. Currently no known exploitation has been reported.

  • CVE-2025-37164
    criticalVulnerability Being Monitored

    This HPE OneView RCE was assigned the maximum CVSS score of 10. While no exploitation has been reported, immediate patching is recommended.

Newest ›

  • Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.

  • Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.

  • Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.

  • DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

  • In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Updated ›

  • Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

  • In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

  • In Gitea before 1.21.2, an anonymous user can visit a private user's project.

  • Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

  • Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

  • Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

  • Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

  • In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

  • Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

  • Gitea before 1.25.2 mishandles authorization for deletion of releases.