Export limit exceeded: 354321 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (354321 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-49382 | 1 Jetbrains | 1 Intellij Idea | 2026-05-29 | 4.5 Medium |
| In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin | ||||
| CVE-2026-49381 | 1 Jetbrains | 1 Teamcity | 2026-05-29 | 3.4 Low |
| In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible | ||||
| CVE-2026-49376 | 1 Jetbrains | 1 Teamcity | 2026-05-29 | 6.5 Medium |
| In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | ||||
| CVE-2026-49374 | 1 Jetbrains | 1 Teamcity | 2026-05-29 | 7.6 High |
| In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters | ||||
| CVE-2026-49373 | 1 Jetbrains | 1 Teamcity | 2026-05-29 | 7.1 High |
| In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings | ||||
| CVE-2026-49372 | 1 Jetbrains | 1 Teamcity | 2026-05-29 | 7.5 High |
| In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible | ||||
| CVE-2026-49370 | 1 Jetbrains | 1 Youtrack | 2026-05-29 | 3.4 Low |
| In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | ||||
| CVE-2026-49369 | 1 Jetbrains | 1 Youtrack | 2026-05-29 | 4.3 Medium |
| In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | ||||
| CVE-2026-49368 | 1 Jetbrains | 1 Youtrack | 2026-05-29 | 8.7 High |
| In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | ||||
| CVE-2021-4019 | 5 Debian, Fedoraproject, Neovim and 2 more | 5 Debian Linux, Fedora, Neovim and 2 more | 2026-05-29 | 7.8 High |
| vim is vulnerable to Heap-based Buffer Overflow | ||||
| CVE-2026-23265 | 1 Linux | 1 Linux Kernel | 2026-05-29 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace: <IRQ> blk_update_request+0x5eb/0xe70 block/blk-mq.c:987 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149 blk_complete_reqs block/blk-mq.c:1224 [inline] blk_done_softirq+0x107/0x160 block/blk-mq.c:1229 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> In f2fs_write_end_io(), it detects there is inconsistency in between node page index (nid) and footer.nid of node page. If footer of node page is corrupted in fuzzed image, then we load corrupted node page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(), in where we won't do sanity check on node footer, once node page becomes dirty, we will encounter this bug after node page writeback. | ||||
| CVE-2026-46827 | 1 Oracle | 1 Payroll | 2026-05-29 | 8.8 High |
| Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2026-46842 | 1 Oracle | 1 Rest Data Services | 2026-05-29 | 5.3 Medium |
| Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | ||||
| CVE-2026-45660 | 1 Statamic | 1 Cms | 2026-05-29 | 5.4 Medium |
| Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1. | ||||
| CVE-2026-44843 | 2 Langchain, Langchain-ai | 2 Langchain, Langchain | 2026-05-29 | 8.2 High |
| LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3. | ||||
| CVE-2026-41104 | 1 Microsoft | 2 Planetary Computer, Planetary Computer Pro | 2026-05-29 | 10 Critical |
| Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-45321 | 16 Abhishake1, Agentworkhq, Antoinebcx and 13 more | 213 Supersurkhet\/cli, Supersurkhet\/sdk, Taskflow-corp\/cli and 210 more | 2026-05-29 | 9.6 Critical |
| On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. | ||||
| CVE-2026-48735 | 2 Py-pdf, Pypdf Project | 2 Pypdf, Pypdf | 2026-05-29 | 5.5 Medium |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1. | ||||
| CVE-2026-48155 | 2 Py-pdf, Pypdf Project | 2 Pypdf, Pypdf | 2026-05-29 | 5.5 Medium |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0. | ||||
| CVE-2026-10066 | 1 Shibby | 1 Tomato | 2026-05-29 | 8.8 High |
| A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | ||||