Export limit exceeded: 351920 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351920 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351920 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44048 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 8.8 High |
| A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service. | ||||
| CVE-2026-44047 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 8.8 High |
| An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service. | ||||
| CVE-2026-44051 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 8.1 High |
| An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation. | ||||
| CVE-2026-2734 | 1 Mlflow | 1 Mlflow/mlflow | 2026-05-21 | 6.5 Medium |
| In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0. | ||||
| CVE-2026-4055 | 1 Mattermost | 1 Mattermost | 2026-05-21 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629 | ||||
| CVE-2026-22880 | 1 Mattermost | 1 Mattermost | 2026-05-21 | 6.1 Medium |
| Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564 | ||||
| CVE-2026-44053 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 7.4 High |
| Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack. | ||||
| CVE-2026-5433 | 2026-05-21 | 9.1 Critical | ||
| Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE). | ||||
| CVE-2026-44054 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 6.5 Medium |
| Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism. | ||||
| CVE-2023-4406 | 1 Kc Group E-commerce Software Project | 1 Kc Group E-commerce Software | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS. This issue affects E-Commerce Software: through 20231123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-44074 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 3.7 Low |
| Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths. | ||||
| CVE-2023-4530 | 1 Turnatasarim | 1 Advertising Administration Panel | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Turna Advertising Administration Panel allows SQL Injection. This issue affects Advertising Administration Panel: before 1.1. | ||||
| CVE-2026-44055 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 7.5 High |
| A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code. | ||||
| CVE-2023-4531 | 1 Mestav | 1 E-commerce Software | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestav Software E-commerce Software allows SQL Injection. This issue affects E-commerce Software: before 20230901 . | ||||
| CVE-2023-4541 | 1 Ween | 1 Management Panel | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection. This issue affects Admin Panel: through 20231229. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-35008 | 1 Openises | 1 Tickets | 2026-05-21 | 4.6 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited. | ||||
| CVE-2026-43494 | 1 Linux | 1 Linux Kernel | 2026-05-21 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user(). | ||||
| CVE-2026-42002 | 1 Powerdns | 1 Authoritative | 2026-05-21 | 5.9 Medium |
| Concurrency and locking defects in GSS-TSIG | ||||
| CVE-2026-35014 | 1 Openises | 1 Tickets | 2026-05-21 | 4.6 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | ||||
| CVE-2023-4661 | 1 Adobe | 1 Connect | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saphira Saphira Connect allows SQL Injection. This issue affects Saphira Connect: before 9. | ||||