Export limit exceeded: 356530 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (356530 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10725 | 1 Crux | 1 Protocol::http2 | 2026-06-09 | 7.5 High |
| Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag. | ||||
| CVE-2026-44757 | 1 Sap | 1 Introscope Enterprise Manager | 2026-06-09 | 4.7 Medium |
| SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability. | ||||
| CVE-2025-66329 | 1 Huawei | 2 Emui, Harmonyos | 2026-06-09 | 4 Medium |
| Permission control vulnerability in the window management module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-11695 | 1 Google | 1 Chrome | 2026-06-09 | 4.3 Medium |
| Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-41979 | 1 Huawei | 1 Harmonyos | 2026-06-09 | 5.5 Medium |
| Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect integrity and confidentiality. | ||||
| CVE-2025-66274 | 2 Qnap, Qnap Systems | 2 Quts Hero, Quts Hero | 2026-06-09 | 4.9 Medium |
| A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.2.3354 build 20251225 and later QuTS hero h6.0.0.3397 build 20260206 and later | ||||
| CVE-2025-59381 | 1 Qnap | 2 Qts, Quts Hero | 2026-06-09 | 4.9 Medium |
| A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.2.3354 build 20251225 and later | ||||
| CVE-2026-41975 | 1 Huawei | 1 Harmonyos | 2026-06-09 | 6.3 Medium |
| Permission management vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect service integrity. | ||||
| CVE-2026-11645 | 1 Google | 1 Chrome | 2026-06-09 | 8.8 High |
| Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-11684 | 1 Google | 1 Chrome | 2026-06-09 | 3.1 Low |
| Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-41978 | 1 Huawei | 1 Harmonyos | 2026-06-09 | 4.4 Medium |
| Permission control vulnerability in the clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2026-41850 | 1 Spring | 1 Spring Framework | 2026-06-09 | 7.5 High |
| Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-41855 | 1 Spring | 1 Spring Framework | 2026-06-09 | 8.1 High |
| In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-41844 | 1 Spring | 1 Spring Framework | 2026-06-09 | 4.2 Medium |
| A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-41848 | 1 Spring | 1 Spring Framework | 2026-06-09 | 3.7 Low |
| Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-11459 | 1 Secureage | 1 Catchpulse | 2026-06-09 | 3.3 Low |
| A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. Impacted is an unknown function in the library saappctl.sys of the component IOCTL Handler. The manipulation leads to information disclosure. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-41839 | 1 Spring | 1 Spring Framework | 2026-06-09 | 4.2 Medium |
| A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-41840 | 1 Spring | 1 Spring Framework | 2026-06-09 | 5.9 Medium |
| Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | ||||
| CVE-2026-11688 | 1 Google | 1 Chrome | 2026-06-09 | 8.8 High |
| Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-5714 | 2 Shortpixel, Wordpress | 2 Enable Media Replace, Wordpress | 2026-06-09 | 6.4 Medium |
| The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘location_dir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||