Export limit exceeded: 355825 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 355825 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355825 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4881 | 2026-06-04 | N/A | ||
| In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error. | ||||
| CVE-2026-46739 | 2026-06-04 | 5.3 Medium | ||
| Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection). | ||||
| CVE-2026-45022 | 2 Go-git, Go-git Project | 2 Go-git, Go-git | 2026-06-04 | 7.5 High |
| go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3. | ||||
| CVE-2026-43985 | 1 Tautulli | 1 Tautulli | 2026-06-04 | 8.8 High |
| Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue. | ||||
| CVE-2026-5121 | 2 Libarchive, Redhat | 17 Libarchive, Ai Inference Server, Discovery and 14 more | 2026-06-04 | 7.5 High |
| A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. | ||||
| CVE-2026-7299 | 1 Appsmith | 1 Appsmith | 2026-06-04 | 6.3 Medium |
| Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. | ||||
| CVE-2026-46741 | 2026-06-04 | 7.5 High | ||
| Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections. | ||||
| CVE-2026-1871 | 1 Tp-link | 3 Tapo C200, Tapo C200 Firmware, Tapo C200 V5 | 2026-06-04 | 6.5 Medium |
| TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts. | ||||
| CVE-2026-24221 | 1 Nvidia | 1 Nvtabular | 2026-06-04 | 7.8 High |
| NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering and information disclosure. | ||||
| CVE-2026-24237 | 1 Nvidia | 1 Nvtabular | 2026-06-04 | 7.8 High |
| NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | ||||
| CVE-2026-44839 | 2 Broadcom, Rabbitmq | 2 Rabbitmq Server, Rabbitmq-server | 2026-06-04 | 4.8 Medium |
| RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. | ||||
| CVE-2026-40713 | 1 Dell | 1 Thinos | 2026-06-04 | 6.1 Medium |
| Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access control vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information exposure. | ||||
| CVE-2026-37462 | 1 Osrg | 1 Gobgp | 2026-06-04 | 7.5 High |
| An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | ||||
| CVE-2026-22054 | 2026-06-04 | N/A | ||
| Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | ||||
| CVE-2026-22055 | 2026-06-04 | N/A | ||
| Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | ||||
| CVE-2026-38570 | 1 Bacnetstack | 1 Bacnet Stack | 2026-06-04 | N/A |
| bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service. | ||||
| CVE-2026-10868 | 1 Misp | 1 Misp | 2026-06-04 | N/A |
| A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation. | ||||
| CVE-2026-40715 | 1 Dell | 1 Thinos | 2026-06-04 | 7.8 High |
| Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation. | ||||
| CVE-2026-5228 | 2026-06-04 | 8.8 High | ||
| Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026. | ||||
| CVE-2026-10813 | 1 Lmcache | 1 Lmcache | 2026-06-04 | 3.6 Low |
| A flaw has been found in LMCache up to 0.4.6. This affects the function hex_hash_to_int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance. | ||||