Export limit exceeded: 352661 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352661 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-35221 | 2026-05-26 | N/A | ||
| Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | ||||
| CVE-2026-48903 | 2026-05-26 | N/A | ||
| Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | ||||
| CVE-2026-35220 | 2026-05-26 | N/A | ||
| Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | ||||
| CVE-2026-35222 | 2026-05-26 | N/A | ||
| Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | ||||
| CVE-2026-9565 | 1 Haojing8312 | 1 Workclaw | 2026-05-26 | 6.3 Medium |
| A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-1773 | 1 Hitachienergy | 9 Rtu500 Firmware, Rtu520, Rtu520 Firmware and 6 more | 2026-05-26 | 7.5 High |
| IEC 60870-5-104 used in RTU500: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation. | ||||
| CVE-2026-23262 | 1 Linux | 1 Linux Kernel | 2026-05-26 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting. This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC. | ||||
| CVE-2026-40384 | 2026-05-26 | N/A | ||
| An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | ||||
| CVE-2026-48905 | 2026-05-26 | N/A | ||
| Lack of input filtering leads to an XSS vector in the HTML filter code. | ||||
| CVE-2026-48897 | 2026-05-26 | N/A | ||
| Insufficient state checks lead to a vector that allows to bypass 2FA checks. | ||||
| CVE-2026-25901 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the multilingual associations component. | ||||
| CVE-2026-30894 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the content history component. | ||||
| CVE-2026-48901 | 2026-05-26 | N/A | ||
| The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | ||||
| CVE-2026-48091 | 2026-05-26 | N/A | ||
| Further research determined the issue is not a vulnerability. | ||||
| CVE-2026-43981 | 2026-05-26 | N/A | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6. | ||||
| CVE-2026-9564 | 2 Oretnom23, Sourcecodester | 2 Hospitals Patient Records Management System, Hospitals Patient Records Management System | 2026-05-26 | 2.4 Low |
| A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | ||||
| CVE-2026-48684 | 1 Pavel-odintsov | 1 Fastnetmon | 2026-05-26 | N/A |
| FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer. | ||||
| CVE-2026-48686 | 1 Pavel-odintsov | 1 Fastnetmon | 2026-05-26 | N/A |
| FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior. | ||||
| CVE-2026-48687 | 1 Pavel-odintsov | 1 Fastnetmon | 2026-05-26 | N/A |
| FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters. | ||||
| CVE-2026-48688 | 1 Pavel-odintsov | 1 Fastnetmon | 2026-05-26 | N/A |
| FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size. | ||||