Export limit exceeded: 365452 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365452 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47479 | 1 Nvidia | 1 Triton Inference Server | 2026-07-15 | 7.5 High |
| NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-47480 | 1 Nvidia | 1 Triton Inference Server | 2026-07-15 | 7.5 High |
| NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an uncaught exception. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-47481 | 1 Nvidia | 1 Triton Inference Server | 2026-07-15 | 6.5 Medium |
| NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an authentication bypass through an alternative path or channel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2026-47736 | 1 Puma | 1 Puma | 2026-07-15 | 7.5 High |
| Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, when PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer while waiting for CRLF to determine whether a PROXY v1 line is present, allowing an attacker that continuously sends bytes without CRLF to cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer. This issue is fixed in versions 7.2.1 and 8.0.2. | ||||
| CVE-2026-47423 | 1 Cure53 | 1 Dompurify | 2026-07-15 | 8.2 High |
| DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside <selectedcontent> is returned. This issue is fixed in version 3.4.5. | ||||
| CVE-2026-49997 | 2026-07-15 | 5.4 Medium | ||
| SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0. | ||||
| CVE-2026-48799 | 2026-07-15 | 7.7 High | ||
| Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8. | ||||
| CVE-2026-15489 | 1 Rafymrx | 1 Toko-online-roti | 2026-07-15 | 7.3 High |
| A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-15501 | 1 Astrbot | 1 Astrbot | 2026-07-15 | 6.3 Medium |
| A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function ToolsRoute.test_mcp_connection of the file astrbot/dashboard/routes/tools.py of the component MCP Test Endpoint. The manipulation of the argument mcp_server_config.url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-9007 | 2026-07-15 | N/A | ||
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in HCL Notes from HCL Software allows reflected Cross-Site Scripting (XSS). Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user. This issue affects HCL Notes: Release 12.0.2FP5HF8 on Linux 4.18.0-553.52.1.El8_10.X64_64#1. | ||||
| CVE-2026-62659 | 2026-07-15 | N/A | ||
| A security flaw was discovered in the NETGEAR WAX333 Access Point that could allow someone already logged in and connected to the local network to make unauthorized changes to the device's settings | ||||
| CVE-2026-50147 | 2026-07-15 | 7.6 High | ||
| Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4. | ||||
| CVE-2026-62178 | 2026-07-15 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-61427. Reason: This candidate is a duplicate of CVE-2026-61427. Notes: All CVE users should reference CVE-2026-61427 instead of this candidate. | ||||
| CVE-2026-47703 | 2026-07-15 | N/A | ||
| AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by producing dns_id=0 or txid=0 and exposed a quoted-port ICMP source-port oracle, weakening DNS response matching for forwarded queries. This issue is fixed in version 0.107.75. | ||||
| CVE-2026-55242 | 2026-07-15 | 8.8 High | ||
| ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0. | ||||
| CVE-2026-62177 | 2026-07-15 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-60085. Reason: This candidate is a duplicate of CVE-2026-60085. Notes: All CVE users should reference CVE-2026-60085 instead of this candidate. | ||||
| CVE-2026-62164 | 2026-07-15 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-60087. Reason: This candidate is a duplicate of CVE-2026-60087. Notes: All CVE users should reference CVE-2026-60087 instead of this candidate. | ||||
| CVE-2026-40422 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-07-15 | 5.5 Medium |
| Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-55137 | 1 Microsoft | 14 365 Apps, Excel 2016, Microsoft Office 365 For Mac and 11 more | 2026-07-15 | 7.8 High |
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-45065 | 1 Symfony | 1 Symfony | 2026-07-15 | N/A |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, UrlGenerator validates route parameters against a pattern built as ^ plus the raw requirement plus $; with ungrouped alternations, middle alternatives match as unanchored substrings, allowing a value such as //evil.com to satisfy a common locale requirement and generate a protocol-relative off-site URL. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. | ||||