Export limit exceeded: 359997 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 359997 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359997 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40988 | 2 Spring, Vmware | 2 Spring Security, Spring Security | 2026-06-12 | 7.5 High |
| An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | ||||
| CVE-2026-41003 | 2 Spring, Vmware | 2 Spring Security, Spring Security | 2026-06-12 | 7.6 High |
| An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | ||||
| CVE-2026-42890 | 1 Actualbudget | 1 Actual | 2026-06-12 | N/A |
| Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue. | ||||
| CVE-2026-41694 | 2 Spring, Vmware | 2 Spring Security, Spring Security | 2026-06-12 | 3.7 Low |
| Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | ||||
| CVE-2026-45178 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Conjur Enterprise, Conjur Enterprise | 2026-06-12 | N/A |
| Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20 | ||||
| CVE-2026-45177 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Conjur Cloud, Conjur Cloud Edge Finding Only | 2026-06-12 | N/A |
| Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20 | ||||
| CVE-2026-45176 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privilege Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45175 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privilege Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to circumvent agent self-defense mechanisms and execute unauthorized operations. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45174 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privileged Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45173 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Identity Browser Extensions, Identity Browser Extensions | 2026-06-12 | N/A |
| Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21 | ||||
| CVE-2026-45172 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Privileged Session Manager, Pam Self-hosted Privilege Cloud | 2026-06-12 | N/A |
| Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18 | ||||
| CVE-2026-45171 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Privileged Session Manager, Privileged Session Manager Vault | 2026-06-12 | N/A |
| Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18 | ||||
| CVE-2026-47365 | 2 Webpros, Wordpress | 2 Wordpress-toolkit, Wordpress | 2026-06-12 | 9.9 Critical |
| Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account. | ||||
| CVE-2026-47369 | 1 Ubiquiti | 32 Efg, Envr, Envr-core and 29 more | 2026-06-12 | 9.9 Critical |
| A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances. | ||||
| CVE-2026-47370 | 1 Ubiquiti | 31 Efg, Envr, Envr-core and 28 more | 2026-06-12 | 9.9 Critical |
| A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances. | ||||
| CVE-2026-12060 | 1 Hepta Platforms | 1 Heptabase | 2026-06-12 | 6.5 Medium |
| Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions. | ||||
| CVE-2026-11844 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 4.9 Medium |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope. | ||||
| CVE-2026-11845 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 7.2 High |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device. | ||||
| CVE-2026-11846 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 8.1 High |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption. | ||||
| CVE-2026-11847 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 4.3 Medium |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths. | ||||