Export limit exceeded: 352731 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352731 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13755 | 1 Ibm | 1 Db2 | 2026-05-26 | 5.5 Medium |
| IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user. | ||||
| CVE-2026-44728 | 2026-05-26 | 8.2 High | ||
| Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13. | ||||
| CVE-2025-36221 | 1 Ibm | 1 Cloud Pak For Data System Cyclops | 2026-05-26 | 5.3 Medium |
| IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | ||||
| CVE-2026-9350 | 1 Nousresearch | 1 Hermes-agent | 2026-05-26 | 7.3 High |
| A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8973 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||||
| CVE-2026-8975 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8974 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-26 | 8.8 High |
| Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-9356 | 1 Sourcecodester | 1 Hospitals Patient Records Management System | 2026-05-26 | 7.3 High |
| A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-9567 | 1 Gpac | 1 Gpac | 2026-05-26 | 3.3 Low |
| A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue. | ||||
| CVE-2026-9560 | 2026-05-26 | N/A | ||
| Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | ||||
| CVE-2026-44668 | 2026-05-26 | 9.8 Critical | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2026-8205 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.3 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | ||||
| CVE-2026-44669 | 2026-05-26 | 8.7 High | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2026-44667 | 2026-05-26 | 8.7 High | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2026-8350 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 8.8 High |
| Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting. | ||||
| CVE-2026-9362 | 1 Edimax | 1 Ew-7438rpn | 2026-05-26 | 6.3 Medium |
| A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8139 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | 5.4 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-48899 | 2026-05-26 | N/A | ||
| An improper access check allows privilege escalation through the com_users batch task. | ||||
| CVE-2026-44680 | 2026-05-26 | 7.6 High | ||
| MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. | ||||
| CVE-2025-36220 | 1 Ibm | 1 Cloud Pak For Data System Cyclops | 2026-05-26 | 4.3 Medium |
| IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | ||||