Export limit exceeded: 350386 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350386 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-7010 | 1 Haarg | 1 Http::tiny | 2026-05-12 | 6.5 Medium |
| HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server. | ||||
| CVE-2026-45190 | 1 Stigtsp | 1 Net::cidr::lite | 2026-05-12 | 6.5 Medium |
| Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191. | ||||
| CVE-2026-45180 | 1 Rrwo | 1 Catalyst::plugin::statsd | 2026-05-12 | 7.5 High |
| Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens. | ||||
| CVE-2026-42885 | 1 Advplyr | 1 Audiobookshelf | 2026-05-12 | 4.3 Medium |
| Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix (e.g., /audiobooks vs /audiobooks-private), allowing authenticated users with upload permission to probe file existence outside their authorized library folder boundaries. This vulnerability is fixed in 2.32.2. | ||||
| CVE-2023-44487 | 33 Akka, Amazon, Apache and 30 more | 378 Http Server, Opensearch Data Prepper, Apisix and 375 more | 2026-05-12 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2026-31784 | 1 Linux | 1 Linux Kernel | 2026-05-12 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: drm/xe/pxp: Clear restart flag in pxp_start after jumping back If we don't clear the flag we'll keep jumping back at the beginning of the function once we reach the end. (cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0) | ||||
| CVE-2026-6402 | 2026-05-12 | 5.3 Medium | ||
| webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses. | ||||
| CVE-2025-61313 | 1 Docuform | 1 Docuform | 2026-05-12 | 7.3 High |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2026-41161 | 1 Sync-in | 2 Server, Sync-in Server | 2026-05-12 | 5.3 Medium |
| Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-41423 | 1 Angular | 1 Angular | 2026-05-12 | 5.3 Medium |
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. | ||||
| CVE-2026-41491 | 2 Dapr, Linuxfoundation | 2 Dapr, Dapr | 2026-05-12 | 8.1 High |
| Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5. | ||||
| CVE-2026-34087 | 1 Wikimedia | 1 Oathauth | 2026-05-12 | N/A |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2. | ||||
| CVE-2026-34089 | 1 Wikimedia | 1 Scribunto | 2026-05-12 | N/A |
| Vulnerability in Wikimedia Foundation Scribunto. This issue affects Scribunto: from 1.45.0 before 1.45.2. | ||||
| CVE-2023-42344 | 1 Alkacon | 1 Opencms | 2026-05-12 | 7.3 High |
| Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | ||||
| CVE-2025-12659 | 1 Siemens | 1 Simcenter Femap | 2026-05-12 | N/A |
| The affected applications contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27349, ZDI-CAN-27389) | ||||
| CVE-2026-8390 | 1 Mozilla | 1 Firefox | 2026-05-12 | N/A |
| Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3. | ||||
| CVE-2026-8391 | 1 Mozilla | 1 Firefox | 2026-05-12 | N/A |
| Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3. | ||||
| CVE-2026-41493 | 2 Lsegal, Yardoc | 2 Yard, Yard | 2026-05-12 | 7.5 High |
| YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42. | ||||
| CVE-2026-41506 | 2 Go-git, Go-git Project | 2 Go-git, Go-git | 2026-05-12 | 4.7 Medium |
| go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. | ||||
| CVE-2026-41507 | 1 Mauriciopoppe | 1 Math-codegen | 2026-05-12 | 9.8 Critical |
| math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3. | ||||