Export limit exceeded: 349171 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349171 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65122 | 1 Regexhq | 1 Youtube-regex | 2026-05-07 | 7.5 High |
| Regex Denial of Service in youtube-regex npm package through version 1.0.5. | ||||
| CVE-2025-63703 | 1 Parse-ini | 1 Parse-ini | 2026-05-07 | N/A |
| npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | ||||
| CVE-2025-63704 | 1 Victorteokw | 1 Query-string-parser | 2026-05-07 | N/A |
| NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object. | ||||
| CVE-2026-28201 | 2 Lfnovo, Open Notebook | 2 Open-notebook, Open Notebook | 2026-05-07 | 7.8 High |
| An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible. | ||||
| CVE-2026-33587 | 2 Lfnovo, Open Notebook | 2 Open-notebook, Open Notebook | 2026-05-07 | 10.0 Critical |
| Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations. | ||||
| CVE-2026-33588 | 2 Lfnovo, Open Notebook | 2 Open-notebook, Open Notebook | 2026-05-07 | 8.1 High |
| Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal. | ||||
| CVE-2026-33589 | 2 Lfnovo, Open Notebook | 2 Open-notebook, Open Notebook | 2026-05-07 | 6.5 Medium |
| Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal. | ||||
| CVE-2026-3953 | 1 Gosoft Software | 1 Proticaret E-commerce | 2026-05-07 | 8.8 High |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. | ||||
| CVE-2026-42010 | 1 Redhat | 5 Enterprise Linux, Hardened Images, Hummingbird and 2 more | 2026-05-07 | 7.1 High |
| A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. | ||||
| CVE-2026-4775 | 3 Debian, Libtiff, Redhat | 5 Debian Linux, Libtiff, Enterprise Linux and 2 more | 2026-05-07 | 7.8 High |
| A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution. | ||||
| CVE-2025-14341 | 1 Divvydrive | 1 Divvydrive | 2026-05-07 | 8.3 High |
| Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2. | ||||
| CVE-2026-41589 | 1 Charmbracelet | 1 Wish | 2026-05-07 | 9.6 Critical |
| Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1. | ||||
| CVE-2026-41554 | 2 Bricks, Wordpress | 2 Bricks Builder, Wordpress | 2026-05-07 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2. | ||||
| CVE-2026-42011 | 1 Redhat | 5 Enterprise Linux, Hardened Images, Hummingbird and 2 more | 2026-05-07 | 7.4 High |
| A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. | ||||
| CVE-2026-42215 | 1 Gitpython Project | 1 Gitpython | 2026-05-07 | 8.8 High |
| GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47. | ||||
| CVE-2026-43510 | 1 Cisa | 1 Manage.get.gov | 2026-05-07 | 7.6 High |
| manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30. | ||||
| CVE-2026-42241 | 1 G-research | 1 Parquetsharp | 2026-05-07 | 5.3 Medium |
| ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1. | ||||
| CVE-2026-8113 | 2026-05-07 | 4.3 Medium | ||
| A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue. | ||||
| CVE-2026-42284 | 1 Gitpython Project | 1 Gitpython | 2026-05-07 | 8.1 High |
| GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47. | ||||
| CVE-2026-8112 | 2026-05-07 | 6.3 Medium | ||
| A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch. | ||||