Export limit exceeded: 360077 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (360077 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47341 | 2026-06-22 | N/A | ||
| Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-48895 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-49231 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-49230 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-44087 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-47339 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-12809 | 1 Edimax | 1 Br-6478ac V2 | 2026-06-22 | 6.3 Medium |
| A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-44046 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-39999 | 1 Apache | 1 Apache Apisix | 2026-06-22 | N/A |
| Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue. | ||||
| CVE-2026-12799 | 2 Berriai, Litellm | 2 Litellm, Litellm | 2026-06-22 | 4.3 Medium |
| A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function ui_view_users of the file litellm/proxy/management_endpoints/internal_user_endpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-44915 | 1 Apache | 1 Apisix | 2026-06-22 | N/A |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-39998 | 1 Apache | 1 Apache Apisix | 2026-06-22 | N/A |
| Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | ||||
| CVE-2026-56448 | 1 Ail-project | 1 Ail-framework | 2026-06-22 | N/A |
| A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An authenticated AIL user can supply crafted object identifiers through the investigation workflow to cause file paths to resolve outside the intended image, favicon, or screenshot storage directories. This may allow the attacker to download and read arbitrary files that are accessible to the AIL process. The issue occurs because user-controlled path components were joined with application storage paths without verifying that the resolved path remained within the expected directory. The affected download functionality could then include the contents of such files in a generated archive. | ||||
| CVE-2026-9162 | 1 Mattermost | 1 Mattermost | 2026-06-22 | 4.3 Medium |
| Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664 | ||||
| CVE-2026-48137 | 1 Ni | 2 Grpc-device, Instrumentstudio | 2026-06-22 | 9.1 Critical |
| There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution. Successful exploitation requires an attacker to supply a specially crafted Moniker protobuf message. This affects NI grpc-device 2.17.0 and prior versions. | ||||
| CVE-2026-48138 | 1 Ni | 2 Grpc-device, Instrumentstudio | 2026-06-22 | 7.5 High |
| There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions. | ||||
| CVE-2026-4027 | 1 Flexera | 1 Flexnet Manager Suite | 2026-06-22 | N/A |
| A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 and R2 that could allow unauthorized access to attachment files due to insufficient access control. | ||||
| CVE-2026-12780 | 1 Aomei | 1 Backupper | 2026-06-22 | 7.8 High |
| A vulnerability was determined in AOMEI Backupper up to 8.3.0. Impacted is an unknown function in the library amwrtdrv.sys of the component Kernel Driver. Executing a manipulation can lead to improper access controls. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-11746 | 2026-06-22 | N/A | ||
| A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster. | ||||
| CVE-2026-11748 | 2026-06-22 | N/A | ||
| A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure. | ||||