Export limit exceeded: 357481 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (357481 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47370 | 2026-06-12 | 9.9 Critical | ||
| A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances. | ||||
| CVE-2026-47367 | 2026-06-12 | 9.9 Critical | ||
| A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device. | ||||
| CVE-2026-12031 | 1 Google | 1 Chrome | 2026-06-12 | 8.3 High |
| Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-59382 | 1 Qnap Systems | 3 Qts, Quts Hero, Qutscloud | 2026-06-12 | N/A |
| QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version: | ||||
| CVE-2026-12008 | 1 Google | 1 Chrome | 2026-06-12 | 8.3 High |
| Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | ||||
| CVE-2026-49235 | 1 Nlnetlabs | 1 Routinator | 2026-06-12 | 7.5 High |
| When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes. | ||||
| CVE-2026-49233 | 1 Nlnetlabs | 1 Routinator | 2026-06-12 | 7.5 High |
| Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache. | ||||
| CVE-2026-53442 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-12 | 5.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2026-49234 | 1 Nlnetlabs | 1 Routinator | 2026-06-12 | 7.5 High |
| When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks. | ||||
| CVE-2026-9125 | 2026-06-12 | 6.4 Medium | ||
| The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-53440 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-12 | 4.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. | ||||
| CVE-2026-12015 | 1 Google | 1 Chrome | 2026-06-12 | 5.3 Medium |
| Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-45060 | 1 Macwarrior | 1 Clipbucket-v5 | 2026-06-12 | 9.8 Critical |
| ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #129. | ||||
| CVE-2026-25700 | 1 Apache | 1 Answer | 2026-06-12 | 7.2 High |
| Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | ||||
| CVE-2026-46558 | 2 Makeplane, Plane | 2 Plane, Plane | 2026-06-12 | 8.3 High |
| Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1. | ||||
| CVE-2026-48096 | 1 Openfga | 2 Helm Charts, Openfga | 2026-06-12 | 5 Medium |
| OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0. | ||||
| CVE-2026-21032 | 2 Samsung, Samsung Mobile | 2 Assistant, Samsung Assistant | 2026-06-12 | 7.1 High |
| Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | ||||
| CVE-2026-21033 | 2 Samsung, Samsung Mobile | 2 Assistant, Samsung Assistant | 2026-06-12 | 7.1 High |
| Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | ||||
| CVE-2025-24165 | 1 Apple | 1 Macos | 2026-06-12 | N/A |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to cause unexpected system termination. | ||||
| CVE-2026-47238 | 1 Macwarrior | 1 Clipbucket-v5 | 2026-06-12 | 6.5 Medium |
| ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133. | ||||