Export limit exceeded: 362546 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10718 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42971 | 1 Microsoft | 21 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 18 more | 2026-06-11 | 5.5 Medium |
| Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-42907 | 1 Microsoft | 18 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 15 more | 2026-06-11 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-49219 | 1 Imagemagick | 1 Imagemagick | 2026-06-11 | 5.5 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24. | ||||
| CVE-2025-38085 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-06-11 | 4.7 Medium |
| In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse. | ||||
| CVE-2026-47165 | 1 Imagemagick | 1 Imagemagick | 2026-06-11 | 4.1 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23. | ||||
| CVE-2026-45329 | 1 Espressif | 1 Esp-idf | 2026-06-11 | 7.1 High |
| ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only some of the caller-supplied pointer arguments, leaving input pointer arguments unchecked. Because the underlying TEE-protected hardware peripherals (e.g., ECC, SHA, SPI) run in RISC-V machine mode (M-mode) with full address-space access, a caller could supply pointers into TEE-exclusive memory as inputs, causing the peripheral to read TEE memory and return results derived from it to the REE. Depending on the wrapper, the result contains raw bytes from TEE memory, a computed function of TEE memory recoverable through repeated calls, or a single bit per call that forms an oracle for incremental disclosure of TEE-resident sensitive data. This issue has been patched in versions 5.5.5 and 6.0.1. | ||||
| CVE-2026-42906 | 1 Microsoft | 15 Windows 10 21h2, Windows 10 21h2, Windows 10 22h2 and 12 more | 2026-06-11 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-45594 | 1 Microsoft | 21 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 18 more | 2026-06-11 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-53912 | 2026-06-11 | N/A | ||
| Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message. An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems. Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing. Affected component: Inbox self-registration request handling and audit logging Fixed version: Cerebrate 1.37 | ||||
| CVE-2026-0411 | 1 Netgear | 4 Rbe97x, Rbr350, Rbr760 and 1 more | 2026-06-11 | N/A |
| An information disclosure vulnerability in the NETGEAR Orbi satellites (RBR/RBE/RBS Series) could allow a user connected to your network to gain administrator access to the Orbi router. The listed NETGEAR models are affected by this vulnerability. Orbi WiFi Systems without satellite devices are not impacted by this issue. | ||||
| CVE-2026-46443 | 1 Flowiseai | 1 Flowise | 2026-06-11 | 6.5 Medium |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2. | ||||
| CVE-2026-42973 | 1 Microsoft | 21 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 18 more | 2026-06-10 | 5.5 Medium |
| Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-36719 | 1 Agentchat | 1 Agentchat | 2026-06-10 | 7.5 High |
| An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs. | ||||
| CVE-2026-34905 | 1 Apache | 1 Answer | 2026-06-10 | 6.5 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | ||||
| CVE-2026-11182 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-10 | 6.5 Medium |
| Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-10045 | 1 Shenzhen Kangda Xin Intelligent Network Technology | 1 Dr300 | 2026-06-10 | 9.8 Critical |
| Shenzhen Kangda Xin Intelligent Network Technology Company's router, model DR300, version 2.1.2.121, contains hardcoded login credentials and has telnet enabled by default on WAN and LAN interfaces. These vulnerabilities allow attackers to read and write to memory, modify firmware stored in flash, inspect active connections, and view currently connected devices. | ||||
| CVE-2026-50508 | 1 Microsoft | 12 Windows 10 1607, Windows 11 22h2, Windows 11 22h2 and 9 more | 2026-06-10 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2024-43610 | 1 Microsoft | 1 Copilot Studio | 2026-06-09 | 7.4 High |
| Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | ||||
| CVE-2024-43609 | 1 Microsoft | 7 365 Apps, Office, Office 2016 and 4 more | 2026-06-09 | 6.5 Medium |
| Microsoft Office Spoofing Vulnerability | ||||
| CVE-2026-47351 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2. | ||||