Export limit exceeded: 352726 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352726 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13755 | 1 Ibm | 1 Db2 | 2026-05-26 | 5.5 Medium |
| IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user. | ||||
| CVE-2026-44728 | 2026-05-26 | 8.2 High | ||
| Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13. | ||||
| CVE-2025-36221 | 1 Ibm | 1 Cloud Pak For Data System Cyclops | 2026-05-26 | 5.3 Medium |
| IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | ||||
| CVE-2026-9350 | 1 Nousresearch | 1 Hermes-agent | 2026-05-26 | 7.3 High |
| A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8973 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||||
| CVE-2026-8975 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8974 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-9356 | 1 Sourcecodester | 1 Hospitals Patient Records Management System | 2026-05-26 | 7.3 High |
| A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-8205 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.3 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | ||||
| CVE-2026-8350 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 8.8 High |
| Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting. | ||||
| CVE-2026-9362 | 1 Edimax | 1 Ew-7438rpn | 2026-05-26 | 6.3 Medium |
| A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8139 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.4 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-44680 | 2026-05-26 | 7.6 High | ||
| MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. | ||||
| CVE-2025-36220 | 1 Ibm | 1 Cloud Pak For Data System Cyclops | 2026-05-26 | 4.3 Medium |
| IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | ||||
| CVE-2026-35223 | 2026-05-26 | N/A | ||
| An improper access check allows unauthorized access to com_config webservice endpoints. | ||||
| CVE-2026-8236 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 4.3 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | ||||
| CVE-2026-41164 | 2026-05-26 | 4.4 Medium | ||
| nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31. | ||||
| CVE-2026-8237 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.3 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | ||||
| CVE-2026-9170 | 1 Ibm | 1 Web Server Plug Ins For Websphere Application Server And Websphere Liberty | 2026-05-26 | 7.5 High |
| IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to denial of service and a potential remote code execution due to improper input validation. | ||||
| CVE-2026-47202 | 2026-05-26 | N/A | ||
| Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2. | ||||