Export limit exceeded: 351488 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351488 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6902 | 1 Perforce | 1 Helix Core | 2026-05-19 | N/A |
| A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks. | ||||
| CVE-2026-21789 | 1 Hcltech | 1 Connections | 2026-05-19 | 4.6 Medium |
| HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | ||||
| CVE-2026-8851 | 1 Alinto | 1 Sogo Web Mail | 2026-05-19 | 8.1 High |
| SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel. | ||||
| CVE-2026-22810 | 1 Laurent 22 | 1 Joplin | 2026-05-19 | 8.2 High |
| Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7. | ||||
| CVE-2026-32323 | 1 Mullvad | 1 Mullvad Vpn | 2026-05-19 | 7.3 High |
| Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1. | ||||
| CVE-2026-7163 | 1 Redhat | 2 Multicluster Engine, Multicluster Engine For Kubernetes | 2026-05-19 | 6.1 Medium |
| A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters. | ||||
| CVE-2025-13601 | 2 Gnome, Redhat | 41 Glib, Ceph Storage, Codeready Linux Builder and 38 more | 2026-05-19 | 7.7 High |
| A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. | ||||
| CVE-2026-44408 | 2026-05-19 | 6.3 Medium | ||
| There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface. | ||||
| CVE-2026-47309 | 1 Samsung Open Source | 1 Escargot | 2026-05-19 | 5.5 Medium |
| Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | ||||
| CVE-2026-47311 | 1 Samsung Open Source | 1 Escargot | 2026-05-19 | 7.8 High |
| Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | ||||
| CVE-2026-41525 | 1 Kde | 1 Dolphin | 2026-05-19 | 6.5 Medium |
| KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.) | ||||
| CVE-2026-4885 | 2026-05-19 | 9.8 Critical | ||
| The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form. | ||||
| CVE-2026-32994 | 1 Rocket.chat | 1 Rocket.chat | 2026-05-19 | N/A |
| The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content. | ||||
| CVE-2026-25110 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 3.3 Low |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | ||||
| CVE-2026-25850 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 5.5 Medium |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak | ||||
| CVE-2026-24792 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 8.1 High |
| in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps. | ||||
| CVE-2026-27781 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 3.3 Low |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | ||||
| CVE-2026-28751 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 3.3 Low |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | ||||
| CVE-2026-25781 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 8.4 High |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS and it cannot be recovered. | ||||
| CVE-2026-27766 | 1 Openharmony | 1 Openharmony | 2026-05-19 | 5.5 Medium |
| in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak. | ||||