Export limit exceeded: 362494 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (362494 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9263 | 1 Zephyrproject | 1 Zephyr | 2026-06-30 | 6.5 Medium |
| The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume(). | ||||
| CVE-2026-50254 | 2026-06-30 | 7.5 High | ||
| An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it. | ||||
| CVE-2026-35505 | 2026-06-30 | 7.5 High | ||
| An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart. | ||||
| CVE-2026-58450 | 1 Invoiceninja | 1 Invoice Ninja | 2026-06-30 | 4.3 Medium |
| Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled external URLs by injecting a malicious value into the intended query parameter. Attackers can craft a client login link with an external URL in the intended parameter, which is stored in the session without host validation and emitted verbatim via a bare redirect in the ContactLoginController authenticated() handler after the victim completes a legitimate login, enabling phishing attacks. | ||||
| CVE-2026-58449 | 1 Neuml | 1 Txtai | 2026-06-30 | 9.8 Critical |
| txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag. | ||||
| CVE-2026-52868 | 2026-06-30 | 8.2 High | ||
| An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation. | ||||
| CVE-2026-58447 | 1 Iv Org | 1 Invidious | 2026-06-30 | 6.5 Medium |
| Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own. | ||||
| CVE-2026-58446 | 1 Presenton | 1 Presenton | 2026-06-30 | 6.5 Medium |
| Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled). | ||||
| CVE-2026-9002 | 1 Ibm | 1 Websphere Extreme Scale | 2026-06-30 | 6.5 Medium |
| IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM. | ||||
| CVE-2026-44947 | 1 Suse | 1 Rancher | 2026-06-30 | N/A |
| A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate. | ||||
| CVE-2026-44949 | 1 Suse | 1 Rancher | 2026-06-30 | N/A |
| A Rancher FleetWorkspace admission path allowed side effects to occur in the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to the in-cluster rancher-webhook service could submit a crafted admission payload and cause workspace-related Kubernetes objects to be created with attacker-chosen identity data. | ||||
| CVE-2026-48283 | 1 Adobe | 1 Coldfusion | 2026-06-30 | 10 Critical |
| ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | ||||
| CVE-2026-48314 | 1 Adobe | 1 Coldfusion | 2026-06-30 | 6.5 Medium |
| ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-48313 | 1 Adobe | 1 Coldfusion | 2026-06-30 | 9.3 Critical |
| ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed. | ||||
| CVE-2026-48281 | 1 Adobe | 1 Coldfusion | 2026-06-30 | 10 Critical |
| ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | ||||
| CVE-2026-48315 | 1 Adobe | 1 Coldfusion | 2026-06-30 | 9.3 Critical |
| ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | ||||
| CVE-2026-44948 | 1 Suse | 1 Rancher | 2026-06-30 | N/A |
| A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service. | ||||
| CVE-2026-58174 | 1 Nesquena | 1 Hermes-webui | 2026-06-30 | 6.5 Medium |
| Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation. | ||||
| CVE-2026-11541 | 1 Ibm | 2 Websphere Application Server, Websphere Application Server Liberty | 2026-06-30 | 7.4 High |
| IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability. | ||||
| CVE-2026-44628 | 2026-06-30 | 7.5 High | ||
| An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record. | ||||