Export limit exceeded: 355838 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 355838 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355838 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42211 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 8.1 High |
| React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2. | ||||
| CVE-2026-26378 | 2 Koha, Koha-community | 2 Koha, Koha | 2026-06-04 | 5.4 Medium |
| Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features | ||||
| CVE-2026-40181 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 6.1 Medium |
| React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4. | ||||
| CVE-2026-34077 | 3 Remix-run, Shopify, Turbo-stream | 4 React-router, Turbo-stream, React-router and 1 more | 2026-06-04 | 7.5 High |
| React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | ||||
| CVE-2026-33245 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 8 High |
| React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | ||||
| CVE-2019-10953 | 5 Abb, Phoenixcontact, Schneider-electric and 2 more | 20 Pm554-tp-eth, Pm554-tp-eth Firmware, Ilc 151 Eth and 17 more | 2026-06-04 | 7.5 High |
| ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable Logic Controllers, multiple versions. Researchers have found some controllers are susceptible to a denial-of-service attack due to a flood of network packets. | ||||
| CVE-2026-8879 | 1 Securly | 1 Securly | 2026-06-04 | 7.5 High |
| Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden. | ||||
| CVE-2026-26824 | 1 Libxls Project | 1 Libxls | 2026-06-04 | 6.5 Medium |
| libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file | ||||
| CVE-2026-28299 | 1 Solarwinds | 1 Web Help Desk | 2026-06-04 | 8.2 High |
| SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory. | ||||
| CVE-2025-52606 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 4.3 Medium |
| HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. | ||||
| CVE-2025-52608 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.1 Low |
| HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | ||||
| CVE-2026-10702 | 1 Mozilla | 1 Firefox | 2026-06-04 | 4.3 Medium |
| JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3. | ||||
| CVE-2026-46344 | 2 Open Quantum Safe, Openquantumsafe | 2 Liboqs, Liboqs | 2026-06-04 | 5.3 Medium |
| liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | ||||
| CVE-2026-44518 | 2 Open Quantum Safe, Openquantumsafe | 2 Liboqs, Liboqs | 2026-06-04 | 5.3 Medium |
| liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | ||||
| CVE-2025-52609 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.7 Low |
| HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | ||||
| CVE-2025-52611 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.1 Low |
| HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object. | ||||
| CVE-2025-52612 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 7.1 High |
| HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | ||||
| CVE-2023-26246 | 1 Hyundai | 2 Gen5w L, Gen5w L Firmware | 2026-06-04 | 7.8 High |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check. This indirectly allows an attacker to install custom firmware in the IVI system. | ||||
| CVE-2026-8722 | 2026-06-04 | 6.5 Medium | ||
| Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | ||||
| CVE-2023-26244 | 1 Hyundai | 2 Gen5w L, Gen5w L Firmware | 2026-06-04 | 7.8 High |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppDMClient binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check of AppUpgrade and .lge.upgrade.xml files, which are used during the firmware installation process. This indirectly allows an attacker to use a custom version of AppUpgrade and .lge.upgrade.xml files. | ||||