Export limit exceeded: 355894 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 355894 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355894 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-36608 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 8.8 High |
| Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request. | ||||
| CVE-2026-36609 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 7.3 High |
| Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password. | ||||
| CVE-2026-36610 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 5.9 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials. | ||||
| CVE-2026-36611 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 7.3 High |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers. | ||||
| CVE-2026-36612 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 6.4 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts). | ||||
| CVE-2026-36613 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 4.3 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers. | ||||
| CVE-2026-36615 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 4.3 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network. | ||||
| CVE-2026-36616 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 5.9 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary. | ||||
| CVE-2026-36618 | 1 Mercusys | 1 Ac12g | 2026-06-05 | 4.3 Medium |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities. | ||||
| CVE-2026-26824 | 2 Libxls, Libxls Project | 2 Libxls, Libxls | 2026-06-05 | 6.5 Medium |
| libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file | ||||
| CVE-2026-26825 | 2 Libxls, Libxls Project | 2 Libxls, Libxls | 2026-06-05 | 5.3 Medium |
| A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure. | ||||
| CVE-2026-50052 | 2 The Vinyl Cache Project, Varnish Software | 3 Varnish Cache (pre Split), Vinyl Cache, Varnish Cache By Varnish Software | 2026-06-05 | N/A |
| In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default. | ||||
| CVE-2026-5078 | 2 Morgan, Morgan Project | 2 Morgan, Morgan | 2026-06-05 | 5.3 Medium |
| Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user. | ||||
| CVE-2026-35078 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.1 High |
| The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | ||||
| CVE-2026-35079 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.1 High |
| The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | ||||
| CVE-2026-35080 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.1 High |
| The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | ||||
| CVE-2026-35081 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.1 High |
| The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input. | ||||
| CVE-2026-35082 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.8 High |
| The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input. | ||||
| CVE-2026-35084 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.8 High |
| A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root. | ||||
| CVE-2026-35085 | 1 Mbs | 36 Double-a Profibus, Double-a X-link, Double-x Can and 33 more | 2026-06-05 | 8.8 High |
| A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root. | ||||