Export limit exceeded: 345207 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345207 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345207 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1115 | 2 Lollms, Parisneo | 2 Lollms, Lollms | 2026-04-16 | N/A |
| A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0. | ||||
| CVE-2026-34781 | 2 Electron, Electronjs | 2 Electron, Electron | 2026-04-16 | 2.8 Low |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | ||||
| CVE-2026-27143 | 2 Golang, Gotoolchain | 2 Go, Cmd/compile | 2026-04-16 | 9.8 Critical |
| Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. | ||||
| CVE-2026-32280 | 2 Go Standard Library, Golang | 2 Crypto/x509, Go | 2026-04-16 | 7.5 High |
| During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. | ||||
| CVE-2026-3497 | 1 Ubuntu | 1 Openssh | 2026-04-16 | 8.2 High |
| Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. | ||||
| CVE-2025-62718 | 1 Axios | 1 Axios | 2026-04-16 | 9.9 Critical |
| Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0. | ||||
| CVE-2026-32283 | 2 Go Standard Library, Golang | 2 Crypto Tls, Go | 2026-04-16 | 7.5 High |
| If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | ||||
| CVE-2026-32288 | 2 Go Standard Library, Golang | 2 Archive/tar, Go | 2026-04-16 | 5.5 Medium |
| tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. | ||||
| CVE-2026-29131 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users. | ||||
| CVE-2026-29132 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails. | ||||
| CVE-2026-32289 | 2 Go Standard Library, Golang | 2 Html/template, Go | 2026-04-16 | 6.1 Medium |
| Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. | ||||
| CVE-2026-29133 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 9.1 Critical |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address. | ||||
| CVE-2026-29134 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions. | ||||
| CVE-2026-29135 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization. | ||||
| CVE-2026-29136 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 6.1 Medium |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to inject HTML into notification emails about new CA certificates. | ||||
| CVE-2025-63238 | 1 Limesurvey | 1 Limesurvey | 2026-04-16 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. | ||||
| CVE-2026-29137 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 5.3 Medium |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide security tags from users by crafting a long subject. | ||||
| CVE-2026-29138 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to claim another user's PGP signature as their own. | ||||
| CVE-2025-70797 | 1 Limesurvey | 1 Limesurvey | 2026-04-16 | 6.1 Medium |
| Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | ||||
| CVE-2026-29139 | 1 Seppmail | 2 Secure Email Gateway, Seppmail Secure Email Gateway | 2026-04-16 | 9.8 Critical |
| SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password. | ||||