Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361176 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361176 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56132 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 6.9 Medium |
| In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers. | ||||
| CVE-2026-56131 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 4.9 Medium |
| libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation). | ||||
| CVE-2026-11752 | 1 Ly Corporation | 1 Armeria | 2026-06-22 | N/A |
| A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host. | ||||
| CVE-2026-40624 | 1 Aver | 4 Ptc115, Ptc115+, Ptc500+ and 1 more | 2026-06-22 | 9.8 Critical |
| Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request. | ||||
| CVE-2026-50034 | 1 Apollo Pharmacy | 1 Blood Glucose Monitoring System (model No. Apg-01 Bt) | 2026-06-22 | 6.5 Medium |
| An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values. | ||||
| CVE-2026-52866 | 1 Apollo Pharmacy | 1 Blood Glucose Monitoring System (model No. Apg-01 Bt) | 2026-06-22 | 6.5 Medium |
| An attacker within BLE communication range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection. | ||||
| CVE-2026-47647 | 1 Microsoft | 1 Dynamics 365 | 2026-06-22 | 9.9 Critical |
| Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-49205 | 1 Thorsten | 1 Phpmyfaq | 2026-06-22 | 6.5 Medium |
| phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4. | ||||
| CVE-2026-49248 | 1 Theonedev | 1 Onedev | 2026-06-22 | N/A |
| OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7. | ||||
| CVE-2022-50971 | 1 Malwarebytes | 1 Malwarebytes | 2026-06-22 | 7.8 High |
| Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root path. Attackers can place executable files in unquoted path directories that execute with LocalSystem privileges during service startup or system reboot. | ||||
| CVE-2017-20261 | 1 Weborange | 1 Bargain Product Vm3 | 2026-06-22 | 8.2 High |
| Joomla! Component Bargain Product VM3 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can supply crafted SQL statements in GET requests to the brainy and alice views to extract sensitive database information. | ||||
| CVE-2026-12031 | 2 Google, Microsoft | 2 Chrome, Windows | 2026-06-22 | 8.3 High |
| Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-12032 | 1 Google | 2 Android, Chrome | 2026-06-22 | 3.1 Low |
| Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-2669 | 1 Ibm | 2 Db2 On Cloud Pak For Data, Db2 Warehouse On Cloud Pak For Data | 2026-06-22 | 6 Medium |
| IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of their authority due to improper token validation. | ||||
| CVE-2026-49286 | 1 Pontedilana | 1 Php-weasyprint | 2026-06-22 | 8.1 High |
| PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue. | ||||
| CVE-2026-49287 | 1 Statamic | 1 Cms | 2026-06-22 | 7.4 High |
| Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0. | ||||
| CVE-2017-20279 | 1 Extensions | 1 Joomla Payage | 2026-06-22 | 8.2 High |
| Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Attackers can send GET requests to index.php with malicious aid values in the make_payment task to extract sensitive database information using boolean-based blind or time-based blind techniques. | ||||
| CVE-2017-20273 | 1 Joomlashowroom | 1 Event Registration Pro Calendar | 2026-06-22 | 8.2 High |
| Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information. | ||||
| CVE-2017-20267 | 1 Joomlathat | 1 Calendar Planner | 2026-06-22 | 8.2 High |
| Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information. | ||||
| CVE-2026-54017 | 1 Open-webui | 1 Open-webui | 2026-06-22 | 7.7 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue. | ||||