Search

Search Results (366403 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-45064 2026-07-14 N/A
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
CVE-2026-24264 1 Nvidia 1 Triton Inference Server 2026-07-14 7.5 High
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of highly compressed data. A successful exploit of this vulnerability might lead to denial of service.
CVE-2026-24266 1 Nvidia 1 Triton Inference Server 2026-07-14 5.9 Medium
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause a use-after-free issue. A successful exploit of this vulnerability might lead to denial of service.
CVE-2026-24270 2026-07-14 9.8 Critical
NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2026-45070 2026-07-14 N/A
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Mime\Header\ParameterizedHeader validates and encodes parameter values but emits parameter names verbatim, allowing a caller that derives a parameter name from untrusted input to include CRLF or other non-token bytes and inject additional headers into rendered structured mail headers such as Content-Type or Content-Disposition. This issue is reported as fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
CVE-2026-45074 2026-07-14 N/A
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.1.0 until 7.4.12 and 8.0.12, Cas2Handler builds the CAS service parameter from Request::getSchemeAndHttpHost(), which reflects an attacker-controlled Host header when framework.trusted_hosts is not configured; an attacker controlling another application registered with the same CAS server can replay a victim ticket against the Symfony application and authenticate as the victim. This issue is fixed in versions 7.4.12 and 8.0.12.
CVE-2026-45077 2026-07-14 N/A
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the server:log listener (Symfony\Bridge\Monolog\Command\ServerLogCommand) binds to 0.0.0.0:9911 by default and processes each received frame with unserialize(base64_decode($message)) without authentication, integrity checks, or an allowed_classes allowlist, allowing any reachable host to submit attacker-chosen serialized PHP payloads that can crash the listener and may trigger object-injection gadget effects. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
CVE-2026-45067 2026-07-14 N/A
### Description `Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before `@`) is an RFC-5322 *quoted string* containing raw `\r\n` bytes — e.g. `"x\r\nBcc: attacker@evil"@example.com`. The stored address is later emitted verbatim into (1) the rendered message headers and (2) `SmtpTransport`'s `MAIL FROM:<...>` / `RCPT TO:<...>` protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. ### Resolution The `Address` constructor now rejects addresses containing line breaks. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604) for branch 5.4. ### Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
CVE-2026-41121 1 Dell 1 Device Management Agent 2026-07-14 7.3 High
Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access ('Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
CVE-2026-15641 2026-07-14 N/A
Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review.
CVE-2026-58640 1 Microsoft 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more 2026-07-14 7.3 High
Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.
CVE-2026-55133 1 Microsoft 4 365 Apps, Office 365, Office Macos 2021 and 1 more 2026-07-14 7.8 High
Heap-based buffer overflow in Microsoft Office OneNote allows an unauthorized attacker to execute code locally.
CVE-2026-56648 1 Microsoft 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more 2026-07-14 7.5 High
Time-of-check time-of-use (toctou) race condition in Windows Network File System allows an authorized attacker to elevate privileges over a network.
CVE-2026-56649 1 Microsoft 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more 2026-07-14 5.9 Medium
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.
CVE-2026-54117 1 Microsoft 1 Sql Server 2025 2026-07-14 8.8 High
Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-55011 1 Microsoft 1 Malware Protection Engine 2026-07-14 7.8 High
Integer underflow (wrap or wraparound) in Microsoft Defender allows an unauthorized attacker to execute code locally.
CVE-2026-57087 1 Microsoft 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more 2026-07-14 8.8 High
Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network.
CVE-2026-57093 1 Microsoft 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more 2026-07-14 7 High
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-54132 1 Microsoft 9 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 6 more 2026-07-14 6.8 Medium
Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack.
CVE-2026-57108 1 Microsoft 1 .net 2026-07-14 7.5 High
Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.