Export limit exceeded: 80661 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80661 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-46446 | 1 Alinto | 1 Sogo | 2026-05-14 | 7.1 High |
| SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin. | ||||
| CVE-2026-46445 | 1 Alinto | 1 Sogo | 2026-05-14 | 7.1 High |
| SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection. | ||||
| CVE-2026-44871 | 1 Hpe | 1 Arubaos | 2026-05-14 | 7.2 High |
| Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | ||||
| CVE-2026-8053 | 1 Mongodb | 2 Mongodb, Mongodb Server | 2026-05-14 | 8.8 High |
| An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2. | ||||
| CVE-2026-34690 | 3 Adobe, Apple, Microsoft | 3 After Effects, Macos, Windows | 2026-05-14 | 7.8 High |
| After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-46419 | 2026-05-14 | 7.5 High | ||
| Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation. | ||||
| CVE-2026-42945 | 1 F5 | 2 Nginx Open Source, Nginx Plus | 2026-05-14 | 8.1 High |
| NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-29205 | 2 Webpros, Wordpress | 3 Cpanel, Wp Squared, Wordpress | 2026-05-14 | 8.6 High |
| Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints. | ||||
| CVE-2026-28955 | 1 Apple | 7 Ios And Ipados, Ipados, Iphone Os and 4 more | 2026-05-14 | 7.5 High |
| The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash. | ||||
| CVE-2024-13986 | 1 Nagios | 2 Nagios Xi, Xi | 2026-05-14 | 8.8 High |
| Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user. | ||||
| CVE-2024-0241 | 1 Diaconou | 1 Encodedid\ | 2026-05-14 | 7.5 High |
| encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long "id" parameter. | ||||
| CVE-2026-32993 | 1 Webpros | 2 Cpanel, Wp Squared | 2026-05-14 | 8.3 High |
| Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response. | ||||
| CVE-2026-29202 | 1 Webpros | 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Sqaured | 2026-05-14 | 8.8 High |
| Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user. | ||||
| CVE-2026-44478 | 1 Hoppscotch | 1 Hoppscotch | 2026-05-14 | 7.5 High |
| hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0. | ||||
| CVE-2026-32992 | 1 Webpros | 2 Cpanel, Wp Squared | 2026-05-14 | 8.2 High |
| SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials. | ||||
| CVE-2026-43141 | 1 Linux | 1 Linux Kernel | 2026-05-13 | 7.1 High |
| In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value. | ||||
| CVE-2026-29201 | 1 Webpros | 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Squared | 2026-05-13 | 8.6 High |
| Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | ||||
| CVE-2026-32991 | 2026-05-13 | 7.1 High | ||
| Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account. | ||||
| CVE-2026-29206 | 2026-05-13 | 8.1 High | ||
| Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled. | ||||
| CVE-2026-44447 | 1 Frappe | 1 Erpnext | 2026-05-13 | 8.8 High |
| ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0. | ||||