Export limit exceeded: 363575 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363575 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363575 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363575 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363575 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20243 | 2026-07-03 | 7.5 High | ||
| A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in ALZ files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains ALZ content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software. | ||||
| CVE-2026-54262 | 1 Wagtail | 1 Wagtail | 2026-07-03 | 4.3 Medium |
| Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2. | ||||
| CVE-2026-57272 | 1 Geovision Inc. | 1 Geowebplayer | 2026-07-03 | 8.3 High |
| GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. #### byPass command index-out-of-bound | ||||
| CVE-2026-8147 | 1 Mlflow | 1 Mlflow/mlflow | 2026-07-03 | N/A |
| In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications. | ||||
| CVE-2026-58523 | 1 Microsoft | 1 Edge Chromium | 2026-07-03 | 6.5 Medium |
| Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2026-57679 | 2026-07-03 | 9.3 Critical | ||
| Unauthenticated SQL Injection in GeekyBot <= 1.2.5 versions. | ||||
| CVE-2026-58298 | 1 Microsoft | 1 Edge Chromium | 2026-07-03 | 7.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-58286 | 1 Microsoft | 1 Edge Chromium | 2026-07-03 | 8.1 High |
| Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-57974 | 1 Microsoft | 1 Edge Chromium | 2026-07-03 | 8.8 High |
| Integer overflow or wraparound in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-45488 | 1 Microsoft | 1 Edge Chromium | 2026-07-03 | 5.4 Medium |
| User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-28740 | 2026-07-03 | 7.1 High | ||
| Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access. | ||||
| CVE-2026-28737 | 2026-07-03 | 8.7 High | ||
| Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer. | ||||
| CVE-2026-28705 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths. | ||||
| CVE-2026-27771 | 2026-07-03 | N/A | ||
| Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information. | ||||
| CVE-2026-27761 | 2026-07-03 | 4.3 Medium | ||
| Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope. | ||||
| CVE-2026-27660 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission. | ||||
| CVE-2026-27657 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 allow a user to change another user's primary email address. | ||||
| CVE-2026-26307 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources. | ||||
| CVE-2026-26292 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests. | ||||
| CVE-2026-26247 | 2026-07-03 | N/A | ||
| Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check. | ||||