Export limit exceeded: 355988 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355988 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40990 | 2 Spring, Vmware | 2 Spring Cloud Function, Spring Cloud Function | 2026-06-05 | 5.7 Medium |
| OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected. | ||||
| CVE-2025-7358 | 1 Utarit | 1 Soliclub | 2026-06-05 | 7.5 High |
| Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse. This issue affects SoliClub: before 5.3.7. | ||||
| CVE-2025-7630 | 1 Doruk Communication And Automation Industry And Trade Inc. | 1 Wispotter | 2026-06-05 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force. This issue affects Wispotter: from 1.0 before v2025.10.08.1. | ||||
| CVE-2026-11333 | 1 Tittuvarghese | 1 Collegemanagementsystem | 2026-06-05 | 6.3 Medium |
| A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard_page/forms/upload_student_data.php of the component Student Data Upload Endpoint. Such manipulation of the argument Student-Data-CSV leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-34993 | 2 Aio-libs, Aiohttp | 2 Aiohttp, Aiohttp | 2026-06-05 | 6.4 Medium |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading. | ||||
| CVE-2025-7631 | 1 Tumeva Internet Technologies Software Information Advertising And Consulting Services Trade Ltd. Co. | 1 Tumeva News Software | 2026-06-05 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software allows SQL Injection. This issue affects Tumeva Prime News Software: from v.1.0.1 before v1.0.2. | ||||
| CVE-2025-7636 | 1 Ergosis Security Systems Computer Industry And Trade Inc. | 1 Zeus Pdks | 2026-06-05 | 8.8 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection. This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7702 | 1 Pusula | 1 Manageable Email Sending System | 2026-06-05 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Pusula Communication Information Internet Industry and Trade Ltd. Co. Manageable Email Sending System allows Exploiting Trust in Client. This issue affects Manageable Email Sending System: from <=2025.06 before 2025.08.06. | ||||
| CVE-2025-7706 | 1 Tubitak Bilgem Software Technologies Research Institute | 1 Liderahenk | 2026-06-05 | 6.1 Medium |
| Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion. This issue affects Liderahenk: from 3.0.0 to 3.3.1 before 3.5.0. | ||||
| CVE-2025-7708 | 1 Atlas Educational Software Industry | 1 K12net | 2026-06-05 | 6.8 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Atlas Educational Software Industry Ltd. Co. K12net allows Communication Channel Manipulation. This issue affects k12net: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7713 | 2 Global Interactive Design Media Software, Globalmedya | 2 Content Management System, Content Management System | 2026-06-05 | 7.5 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS): through 21072025. | ||||
| CVE-2026-47265 | 2 Aio-libs, Aiohttp | 2 Aiohttp, Aiohttp | 2026-06-05 | 7.5 High |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable. | ||||
| CVE-2025-7714 | 2 Global Interactive Design Media Software, Globalmedya | 2 Content Management System, Content Management System | 2026-06-05 | 7.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection. This issue affects Content Management System (CMS): through 21072025. | ||||
| CVE-2025-7743 | 1 Dolusoft | 1 Omaspot | 2026-06-05 | 9.6 Critical |
| Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation. This issue affects Omaspot: before 12.09.2025. | ||||
| CVE-2026-11312 | 1 Bytedance | 1 Infinistore | 2026-06-05 | 3.3 Low |
| A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2024-6699 | 2 Mikafon, Mikafonelectronic | 3 Ma7, Ma7 Firmware, Mikafon Ma7 Firmware | 2026-06-05 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection. This issue affects Mikafon MA7: from v3.0 before v3.1. | ||||
| CVE-2026-41567 | 1 Moby | 1 Moby | 2026-06-05 | 7.2 High |
| Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images | ||||
| CVE-2026-9088 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-05 | 2.7 Low |
| A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure. | ||||
| CVE-2026-35212 | 2 Citeum, Opencti-platform | 2 Opencti, Opencti | 2026-06-05 | 6.1 Medium |
| OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix. | ||||
| CVE-2026-38500 | 2026-06-05 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||