Export limit exceeded: 366631 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 366631 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 366631 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366631 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-48784 | 2026-07-15 | N/A | ||
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, UrlGenerator::doGenerate() used strtr() dot-segment encoding that skipped every other chained ../ or ./ segment, allowing attacker-controlled route parameters to generate URLs that collapse to a different path under RFC 3986 normalization. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13. | ||||
| CVE-2026-48038 | 2026-07-15 | 5.3 Medium | ||
| joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link() schemas. When validate() is called without try/catch in a request handler, deeply nested input can trigger an unhandled RangeError and potentially crash the process; lower-impact paths using validateAsync() or try/catch produce a RangeError instead of a structured ValidationError. This issue is fixed in versions 17.13.4 and 18.2.1. | ||||
| CVE-2026-48069 | 2026-07-15 | 7.5 High | ||
| @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. | ||||
| CVE-2026-50663 | 1 Microsoft | 2 Age Of Empires Ii, Age Of Empires Ii | 2026-07-15 | 8.8 High |
| Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-53486 | 2026-07-15 | 9.1 Critical | ||
| The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3. | ||||
| CVE-2026-45072 | 2026-07-15 | N/A | ||
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.4.24 until 6.4.40, 7.4.12, and 8.0.12, the development profiler file_excerpt Twig filter escapes PHP files through highlight_string() but interpolates lines from non-PHP files directly into <code> elements, allowing stored XSS against a developer who opens an attacker-written file such as var/log/dev.log in the profiler. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. | ||||
| CVE-2026-56398 | 1 Openwebui | 1 Open Webui | 2026-07-15 | 7.3 High |
| Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover. | ||||
| CVE-2026-59254 | 1 N8n | 1 N8n | 2026-07-15 | N/A |
| n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions. | ||||
| CVE-2026-61433 | 1 Praison | 1 Praisonai | 2026-07-15 | 7.8 High |
| PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests. | ||||
| CVE-2026-61446 | 1 Praison | 1 Praisonai | 2026-07-15 | 8.4 High |
| PraisonAI (praisonaiagents) before 1.6.78 contains a remote code execution vulnerability in the plugin manager, which loads and executes arbitrary Python (.py) files from project-level and user-home .praisonai/plugins/ directories using importlib spec_from_file_location() and exec_module() without code signing, integrity verification, or sandboxing. An attacker who can write a malicious .py file to a plugin directory (for example via path traversal, a supply chain attack, or a compromised dependency) achieves arbitrary code execution when the plugin system initializes. | ||||
| CVE-2026-45068 | 2026-07-15 | N/A | ||
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, SendmailTransport in -t mode appended recipient addresses to the sendmail command line without a -- end-of-options separator, allowing an address beginning with - to be interpreted as a sendmail command-line option instead of an address. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. | ||||
| CVE-2026-34346 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-07-15 | 5.5 Medium |
| Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-48736 | 2026-07-15 | N/A | ||
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowing attacker-supplied URLs to represent private IPv4 targets in forms that IpUtils::isPrivateIp() did not block. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13. | ||||
| CVE-2026-48252 | 2026-07-15 | 8.6 High | ||
| Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed. | ||||
| CVE-2026-48260 | 2026-07-15 | 5.4 Medium | ||
| Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-15702 | 1 Tamagui | 1 Tamagui | 2026-07-15 | 6.3 Medium |
| A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to version 2.3.1 is able to mitigate this issue. The name of the patch is e46af9879b7627934ea4d6d6e46e65cea53abb3d. The affected component should be upgraded. | ||||
| CVE-2026-54469 | 1 Dell | 1 Unisphere For Powermax | 2026-07-15 | 8.8 High |
| Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | ||||
| CVE-2026-59791 | 1 Jetbrains | 1 Youtrack | 2026-07-15 | 3.5 Low |
| In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible | ||||
| CVE-2026-59792 | 1 Jetbrains | 1 Intellij Idea | 2026-07-15 | 9.6 Critical |
| In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible | ||||
| CVE-2026-59794 | 1 Jetbrains | 1 Teamcity | 2026-07-15 | 7.3 High |
| In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data | ||||