Export limit exceeded: 353263 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (353263 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44730 | 1 Opencti-platform | 1 Opencti | 2026-05-26 | 7.2 High |
| OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7. | ||||
| CVE-2026-44707 | 1 Chatwoot | 1 Chatwoot | 2026-05-26 | 6.8 Medium |
| Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0. | ||||
| CVE-2026-24201 | 1 Nvidia | 1 Virtual Gpu Manager | 2026-05-26 | 5.8 Medium |
| NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause an out-of-bound access. A successful exploit of this vulnerability might lead to data tampering, denial of service, or information disclosure. | ||||
| CVE-2026-44669 | 1 Factionsecurity | 1 Faction | 2026-05-26 | 8.7 High |
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2026-42448 | 1 Magic-wormhole | 1 Magic-wormhole | 2026-05-26 | 3.5 Low |
| Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0. | ||||
| CVE-2026-47075 | 1 Benoitc | 1 Hackney | 2026-05-26 | N/A |
| Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1. | ||||
| CVE-2026-9579 | 1 Jeecgboot | 1 Jeecgboot | 2026-05-26 | 6.3 Medium |
| A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded. | ||||
| CVE-2026-45834 | 1 Linux | 1 Linux Kernel | 2026-05-26 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | ||||
| CVE-2026-42000 | 1 Powerdns | 1 Authoritative | 2026-05-26 | 6.8 Medium |
| Insufficient Validation of Names During AXFR | ||||
| CVE-2026-9564 | 2 Oretnom23, Sourcecodester | 2 Hospitals Patient Records Management System, Hospitals Patient Records Management System | 2026-05-26 | 2.4 Low |
| A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | ||||
| CVE-2026-24162 | 1 Nvidia | 1 Merlin Transformers4rec | 2026-05-26 | 7.8 High |
| NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | ||||
| CVE-2026-9575 | 1 Itsourcecode | 1 Student Transcript Processing System | 2026-05-26 | 7.3 High |
| A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0. This issue affects some unknown processing of the file /admin/modules/class/index.php?view=view. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-42001 | 1 Powerdns | 1 Authoritative | 2026-05-26 | 7.5 High |
| Insufficient Validation of Autoprimary SOA Queries | ||||
| CVE-2026-42002 | 1 Powerdns | 1 Authoritative | 2026-05-26 | 5.9 Medium |
| Concurrency and locking defects in GSS-TSIG | ||||
| CVE-2026-2264 | 1 Google | 1 Cloud Apigee-x | 2026-05-26 | N/A |
| A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy. | ||||
| CVE-2026-42396 | 1 Powerdns | 1 Authoritative | 2026-05-26 | 4.9 Medium |
| Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail | ||||
| CVE-2026-34486 | 1 Apache | 1 Tomcat | 2026-05-26 | 7.5 High |
| Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | ||||
| CVE-2026-32181 | 1 Microsoft | 19 Windows 10 21h2, Windows 10 21h2, Windows 10 22h2 and 16 more | 2026-05-26 | 5.5 Medium |
| Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. | ||||
| CVE-2026-26151 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-05-26 | 7.1 High |
| Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-20921 | 1 Microsoft | 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more | 2026-05-26 | 7.5 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | ||||