Export limit exceeded: 348908 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 348908 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348908 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42150 | 1 Weblateorg | 1 Wlc | 2026-05-08 | 5.1 Medium |
| wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0. | ||||
| CVE-2023-47268 | 2026-05-08 | N/A | ||
| In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. | ||||
| CVE-2024-27686 | 2026-05-08 | N/A | ||
| Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. | ||||
| CVE-2026-42278 | 1 Ultradagcom | 1 Core | 2026-05-08 | N/A |
| UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59. | ||||
| CVE-2026-8137 | 1 Totolink | 2 X5000r, X5000r Firmware | 2026-05-08 | 8.8 High |
| A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-8138 | 1 Tenda | 2 Cx12l, Cx12l Firmware | 2026-05-08 | 8.8 High |
| A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-44916 | 2026-05-08 | 3 Low | ||
| In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing. | ||||
| CVE-2024-33722 | 2026-05-08 | N/A | ||
| SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[]. | ||||
| CVE-2024-46507 | 2026-05-08 | N/A | ||
| A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. | ||||
| CVE-2024-53326 | 2026-05-08 | N/A | ||
| LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | ||||
| CVE-2022-26522 | 2026-05-08 | N/A | ||
| The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. | ||||
| CVE-2023-42343 | 1 Alkacon | 1 Opencms | 2026-05-08 | N/A |
| A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | ||||
| CVE-2023-42344 | 2026-05-08 | N/A | ||
| Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | ||||
| CVE-2023-42345 | 1 Alkacon | 1 Opencms | 2026-05-08 | N/A |
| A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | ||||
| CVE-2026-8148 | 2026-05-08 | N/A | ||
| NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. | ||||
| CVE-2023-46453 | 2026-05-08 | N/A | ||
| Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | ||||
| CVE-2026-8149 | 2026-05-08 | N/A | ||
| A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2. | ||||
| CVE-2026-42274 | 1 Dadrus | 1 Heimdall | 2026-05-08 | N/A |
| Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | ||||
| CVE-2026-44298 | 1 Kimai | 1 Kimai | 2026-05-08 | 4.1 Medium |
| Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0. | ||||
| CVE-2026-8069 | 2026-05-08 | N/A | ||
| PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | ||||