Export limit exceeded: 26245 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (26245 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6973 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-06-24 | 7.2 High |
| An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | ||||
| CVE-2026-47380 | 1 Nocodb | 1 Nocodb | 2026-06-24 | N/A |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1. | ||||
| CVE-2026-56762 | 1 Hono | 1 Hono | 2026-06-24 | 5.3 Medium |
| Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection. | ||||
| CVE-2025-11226 | 2 Qos, Qos.ch Sarl | 2 Logback, Logback-core | 2026-06-24 | 6.4 Medium |
| ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. | ||||
| CVE-2026-20133 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-06-24 | 6.5 Medium |
| A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system. | ||||
| CVE-2026-54317 | 1 Home-assistant | 1 Core | 2026-06-23 | 7.6 High |
| Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0. | ||||
| CVE-2026-45135 | 1 Caddyserver | 1 Caddy | 2026-06-23 | 8.1 High |
| Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3. | ||||
| CVE-2026-47931 | 1 Adobe | 1 Coldfusion | 2026-06-23 | 8.4 High |
| ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue does not require user interaction. Scope is changed. | ||||
| CVE-2026-49064 | 2 Stiofan, Wordpress | 2 Getpaid, Wordpress | 2026-06-23 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49. | ||||
| CVE-2026-40789 | 2 Tms, Wordpress | 2 Amelia, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions. | ||||
| CVE-2026-49082 | 2 Chatway Live Chat, Wordpress | 2 Chatway Live Chat – Ai Chatbot, Customer Support, Faq & Helpdesk Customer Service & Chat Buttons, Wordpress | 2026-06-23 | 7.4 High |
| Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions. | ||||
| CVE-2026-52692 | 2 Wordpress, Wp.insider | 2 Wordpress, Affiliates Manager | 2026-06-23 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. | ||||
| CVE-2026-52695 | 2 Al Monsor, Wordpress | 2 Abc Crypto Checkout, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. | ||||
| CVE-2026-54197 | 2 Wordpress, Wpmet | 2 Wordpress, Getgenie | 2026-06-23 | 6.5 Medium |
| Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions. | ||||
| CVE-2026-50019 | 1 Yt-dlp | 1 Yt-dlp | 2026-06-23 | 6.1 Medium |
| yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped. This vulnerability is fixed in 2026.06.09. | ||||
| CVE-2026-54316 | 1 Anthropics | 1 Claude Code | 2026-06-23 | N/A |
| Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163. | ||||
| CVE-2026-27604 | 1 Fossbilling | 1 Fossbilling | 2026-06-23 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident. | ||||
| CVE-2026-54276 | 1 Aio-libs | 1 Aiohttp | 2026-06-23 | 3.1 Low |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1. | ||||
| CVE-2026-53537 | 1 Kludex | 1 Python-multipart | 2026-06-23 | 3.7 Low |
| Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30. | ||||
| CVE-2011-0627 | 7 Adobe, Apple, Google and 4 more | 7 Flash Player, Mac Os X, Android and 4 more | 2026-06-23 | 8.8 High |
| Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content, as possibly exploited in the wild in May 2011 by a Microsoft Office document with an embedded .swf file. | ||||