Export limit exceeded: 83460 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (83460 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33111 | 1 Microsoft | 2 Copilot Chat, Copilot Chat Edge | 2026-05-14 | 7.5 High |
| Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-4798 | 2 Themefusion, Wordpress | 2 Fusion Builder, Wordpress | 2026-05-14 | 7.5 High |
| The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated. | ||||
| CVE-2020-37219 | 1 Fabrikar | 2 Com Fabrikar, Fabrik | 2026-05-14 | 7.5 High |
| Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files in system directories outside the intended web root. | ||||
| CVE-2020-37223 | 1 Iobit | 1 Uninstaller | 2026-05-14 | 7.8 High |
| IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory and restart the service to execute code with SYSTEM privileges. | ||||
| CVE-2026-44289 | 2 Protobuf, Protobufjs Project | 2 Protobuf, Protobufjs | 2026-05-14 | 7.5 High |
| protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2. | ||||
| CVE-2026-44290 | 2 Protobuf, Protobufjs Project | 2 Protobuf, Protobufjs | 2026-05-14 | 7.5 High |
| protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2. | ||||
| CVE-2026-44291 | 2 Protobuf, Protobufjs Project | 2 Protobuf, Protobufjs | 2026-05-14 | 8.1 High |
| protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2. | ||||
| CVE-2026-44871 | 2 Arubanetworks, Hpe | 3 Arubaos, Sd-wan, Arubaos | 2026-05-14 | 7.2 High |
| Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | ||||
| CVE-2026-41105 | 1 Microsoft | 1 Azure Monitor Action Group Notification System | 2026-05-14 | 8.1 High |
| Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-42825 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-05-14 | 7 High |
| Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-6276 | 2 Curl, Haxx | 2 Libcurl, Curl | 2026-05-14 | 7.5 High |
| Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. | ||||
| CVE-2026-45109 | 1 Vercel | 1 Next.js | 2026-05-14 | 7.5 High |
| Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6. | ||||
| CVE-2026-28915 | 1 Apple | 1 Macos | 2026-05-14 | 7.8 High |
| A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges. | ||||
| CVE-2026-28943 | 1 Apple | 7 Ios And Ipados, Ipados, Iphone Os and 4 more | 2026-05-14 | 7.5 High |
| A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to determine kernel memory layout. | ||||
| CVE-2026-28873 | 1 Apple | 3 Ios And Ipados, Ipados, Iphone Os | 2026-05-14 | 7.5 High |
| This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging. | ||||
| CVE-2026-28930 | 1 Apple | 1 Macos | 2026-05-14 | 7.5 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data. | ||||
| CVE-2026-28936 | 1 Apple | 5 Ios And Ipados, Ipados, Iphone Os and 2 more | 2026-05-14 | 7.5 High |
| The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination. | ||||
| CVE-2026-46445 | 1 Alinto | 1 Sogo | 2026-05-14 | 7.1 High |
| SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection. | ||||
| CVE-2026-43680 | 1 Claris | 1 Filemaker Cloud | 2026-05-14 | 7.2 High |
| A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5. | ||||
| CVE-2026-43685 | 1 Claris | 1 Filemaker Cloud | 2026-05-14 | 7.2 High |
| A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5. | ||||