Export limit exceeded: 355362 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355362 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10811 | 1 Itsourcecode | 1 Fees Management System | 2026-06-04 | 6.3 Medium |
| A security vulnerability has been detected in itsourcecode Fees Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /receipt.php. Such manipulation of the argument ef_id leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-8874 | 2026-06-04 | 7.1 High | ||
| Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS. | ||||
| CVE-2026-45739 | 2026-06-04 | 3.1 Low | ||
| Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue. | ||||
| CVE-2026-44479 | 1 Vercel | 1 Vercel | 2026-06-04 | 5.5 Medium |
| Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1. | ||||
| CVE-2026-10843 | 1 Redhat | 1 Openshift | 2026-06-04 | 7.2 High |
| A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise. | ||||
| CVE-2022-50957 | 1 Avatar Uploader Project | 1 Avatar Uploader | 2026-06-04 | 6.1 Medium |
| Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2026-28525 | 2 Sbabic, Swupdate | 2 Swupdate, Swupdate | 2026-06-04 | 6.8 Medium |
| SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket. | ||||
| CVE-2026-10804 | 1 Streamlit | 1 Streamlit | 2026-06-04 | 3.6 Low |
| A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-8653 | 2026-06-04 | 6.5 Medium | ||
| The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with instructor-level access or above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-10783 | 1 Gradio-app | 1 Gradio | 2026-06-04 | 2.5 Low |
| A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audio_to_cache of the component Audio Cache Key Handler. Performing a manipulation results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The patch is named 13394. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2026-6942 | 1 Radare | 2 Radare2, Radare2 Mcp Server | 2026-06-04 | 9.8 Critical |
| radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication. | ||||
| CVE-2026-50033 | 1 Acronis | 1 Acronis Devicelock Dlp | 2026-06-04 | N/A |
| Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | ||||
| CVE-2026-45433 | 1 Gx India | 2 Gx Earth 1010, Gx Earth 2022 | 2026-06-04 | N/A |
| This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device. | ||||
| CVE-2026-44682 | 1 Acronis | 1 Acronis Devicelock Dlp | 2026-06-04 | N/A |
| Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | ||||
| CVE-2026-42061 | 1 Acronis | 1 Acronis Devicelock Dlp | 2026-06-04 | N/A |
| Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | ||||
| CVE-2026-27145 | 1 Go Standard Library | 1 Crypto/x509 | 2026-06-04 | 6.5 Medium |
| (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. | ||||
| CVE-2026-10810 | 1 Itsourcecode | 1 Fees Management System | 2026-06-04 | 4.3 Medium |
| A weakness has been identified in itsourcecode Fees Management System up to 1.0. Affected is an unknown function of the file /navbar.php. This manipulation of the argument page causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-10809 | 1 Itsourcecode | 1 Fees Management System | 2026-06-04 | 6.3 Medium |
| A security flaw has been discovered in itsourcecode Fees Management System 1.0. This impacts an unknown function of the file /manage_user.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-10808 | 1 Itsourcecode | 1 Fees Management System | 2026-06-04 | 6.3 Medium |
| A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /manage_student.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2026-10807 | 1 Mjperpinosa | 1 Stumasy | 2026-06-04 | 6.3 Medium |
| A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | ||||