Export limit exceeded: 364918 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364918 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-61876 1 Openwrt 1 Luci 2026-07-12 8.8 High
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
CVE-2026-12116 1 Xerte 1 Xerte Online Tools 2026-07-12 9.8 Critical
A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.
CVE-2026-14261 1 Xerte 1 Xerte Online Tools 2026-07-12 9.1 Critical
A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.
CVE-2026-13462 1 Payrange 1 Payrange 2026-07-12 7.5 High
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.
CVE-2026-51119 2026-07-12 9.1 Critical
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components
CVE-2025-70796 2026-07-12 7.5 High
An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Technology, Inc.) version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web root directory. This may allow disclosure of sensitive system files and configuration data
CVE-2026-39244 2026-07-12 7.5 High
adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.
CVE-2026-21055 1 Samsung Mobile 1 Bixby 2026-07-12 N/A
Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.
CVE-2026-56690 1 Dell 1 Powerflex Manager 2026-07-12 8.5 High
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access.
CVE-2026-56689 1 Dell 1 Powerflex Manager 2026-07-12 7.7 High
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
CVE-2026-56688 1 Dell 1 Powerflex Manager 2026-07-12 9.1 Critical
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure.
CVE-2026-54468 1 Dell 1 Unisphere For Powermax 2026-07-12 6.5 Medium
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a path traversal vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to read arbitrary files.
CVE-2026-54470 1 Dell 1 Unisphere For Powermax 2026-07-12 5.3 Medium
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
CVE-2026-59791 1 Jetbrains 1 Youtrack 2026-07-12 3.5 Low
In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible
CVE-2026-59792 1 Jetbrains 1 Intellij Idea 2026-07-12 9.6 Critical
In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible
CVE-2026-59793 1 Jetbrains 1 Teamcity 2026-07-12 8.8 High
In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration
CVE-2026-59795 1 Jetbrains 1 Teamcity 2026-07-12 8.1 High
In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible
CVE-2026-15502 1 Aojiaozero 1 Antaris 2026-07-12 6.3 Medium
A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-15501 1 Astrbot 1 Astrbot 2026-07-12 6.3 Medium
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function ToolsRoute.test_mcp_connection of the file astrbot/dashboard/routes/tools.py of the component MCP Test Endpoint. The manipulation of the argument mcp_server_config.url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-56336 2026-07-12 5.3 Medium
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. Attackers can enumerate email domains to build mappings of domains to organization UUIDs and SSO provider identifiers, enabling reconnaissance against Capgo tenants.