Export limit exceeded: 351761 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351761 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40362 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-05-19 | 7.8 High |
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-40363 | 1 Microsoft | 10 365 Apps, Office, Office 2016 and 7 more | 2026-05-19 | 8.4 High |
| Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-40364 | 1 Microsoft | 10 365 Apps, Office, Office 2019 and 7 more | 2026-05-19 | 8.4 High |
| Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-40366 | 1 Microsoft | 10 365 Apps, Office, Office 2019 and 7 more | 2026-05-19 | 8.4 High |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-40418 | 1 Microsoft | 6 365 Apps, Office, Office 2019 and 3 more | 2026-05-19 | 7.8 High |
| Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-40419 | 1 Microsoft | 6 365 Apps, Office, Office 2019 and 3 more | 2026-05-19 | 7.8 High |
| Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-40420 | 1 Microsoft | 6 365 Apps, Office, Office 2019 and 3 more | 2026-05-19 | 8.8 High |
| Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-8945 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.5 High |
| Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151. | ||||
| CVE-2026-8959 | 1 Mozilla | 1 Firefox | 2026-05-19 | 9.6 Critical |
| Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8960 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.5 High |
| Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||||
| CVE-2026-8974 | 1 Mozilla | 1 Firefox | 2026-05-19 | 9.8 Critical |
| Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8706 | 1 Mozilla | 1 Firefox For Ios | 2026-05-19 | 6.5 Medium |
| Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0. | ||||
| CVE-2026-6333 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-05-19 | 3.5 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 | ||||
| CVE-2025-40901 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-05-19 | 5.9 Medium |
| A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | ||||
| CVE-2026-8751 | 2 H2o, H2oai | 2 H2o, H2o-3 | 2026-05-19 | 7.3 High |
| A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-40902 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-05-19 | 5.9 Medium |
| A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | ||||
| CVE-2025-40903 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-05-19 | 5.9 Medium |
| A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | ||||
| CVE-2026-8752 | 2 H2o, H2oai | 2 H2o, H2o-3 | 2026-05-19 | 5.3 Medium |
| A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-40904 | 2 Nozomi Networks, Nozominetworks | 4 Cmc, Guardian, Cmc and 1 more | 2026-05-19 | 6.5 Medium |
| A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | ||||
| CVE-2026-3495 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-05-19 | 3.8 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 | ||||