Export limit exceeded: 357821 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (357821 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-11845 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 7.2 High |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device. | ||||
| CVE-2026-11846 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 8.1 High |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption. | ||||
| CVE-2026-11847 | 1 Iei Integration Corp | 1 Ivec Tank-xm811 | 2026-06-12 | 4.3 Medium |
| The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths. | ||||
| CVE-2026-48914 | 1 Redhat | 5 Enterprise Linux, Enterprise Linux For Nvidia 26, Enterprise Linux Nvidia and 2 more | 2026-06-12 | 6.7 Medium |
| A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process. | ||||
| CVE-2026-11848 | 1 Iei Integration Corp | 1 Irm-tsi410x | 2026-06-12 | 5.3 Medium |
| The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information. | ||||
| CVE-2026-11849 | 1 Iei Integration Corp | 1 Irm-tsi410x | 2026-06-12 | 9.8 Critical |
| The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database. | ||||
| CVE-2026-47196 | 1 Duck-organization | 1 Questbot | 2026-06-12 | N/A |
| Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6. | ||||
| CVE-2026-47195 | 1 Duck-organization | 1 Questbot | 2026-06-12 | N/A |
| Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6. | ||||
| CVE-2026-48485 | 1 Duck-organization | 1 Questbot | 2026-06-12 | N/A |
| Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6. | ||||
| CVE-2026-49347 | 1 Duck-organization | 1 Questbot | 2026-06-12 | N/A |
| Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8. | ||||
| CVE-2017-20240 | 1 Arodland | 1 Crypt::pbkdf2 | 2026-06-12 | 5.9 Medium |
| Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key. | ||||
| CVE-2026-11879 | 1 Mobatek | 2 Mobaxterm Personal Edition, Mobaxterm Personal Edition Portable | 2026-06-12 | N/A |
| MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading malicious DLLs from a temporary directory that is predictable and can be modified by the user. During startup, the application searches for specific DLLs in this location before resorting to the system’s secure paths, enabling an attacker with local access to place a specially crafted DLL to be executed automatically when the victim launches the application. | ||||
| CVE-2026-11967 | 1 Mobatek | 2 Mobaxterm Personal Edition, Mobaxterm Personal Edition Portable | 2026-06-12 | N/A |
| MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the winspool.drv library from that location during startup, an attacker with local access can place a specially crafted DLL alongside the executable to be executed when the victim launches the application. | ||||
| CVE-2026-6853 | 1 Basbelen Group | 1 Pause+ Mobile App | 2026-06-12 | 9.8 Critical |
| Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5. | ||||
| CVE-2026-54133 | 1 Jmespath | 1 Jmespath.php | 2026-06-12 | 9.8 Critical |
| jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime. | ||||
| CVE-2026-7368 | 1 Yarbo | 2 Yarbo Android/ios Mobile Application, Yarbo Cloud Mqtt Infrastructure | 2026-06-12 | 8.1 High |
| The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls. | ||||
| CVE-2026-10557 | 1 Yarbo | 2 Yarbo Android/ios Mobile Application, Yarbo Cloud Mqtt Infrastructure | 2026-06-12 | 9.8 Critical |
| The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number. | ||||
| CVE-2026-6211 | 1 Global It | 1 Weoll | 2026-06-12 | 8.7 High |
| Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEOLL: from 2.0.9 before 3.2.45.33. | ||||
| CVE-2026-5792 | 1 Hedef Media | 1 Related Marketing Cloud (rmc) | 2026-06-12 | 6.5 Medium |
| Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026. | ||||
| CVE-2026-9638 | 1 Arodland | 1 Crypt::pbkdf2 | 2026-06-12 | 7.5 High |
| Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | ||||