Export limit exceeded: 356269 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (356269 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3238 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-06-08 | 7.5 High |
| A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets. | ||||
| CVE-2026-50225 | 1 Acer | 3 Connect M6e 5g, Connect M6e 5g Firmware, Connect M6e 5g Portable Wifi Router | 2026-06-08 | 9.1 Critical |
| The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. | ||||
| CVE-2026-50226 | 1 Acer | 3 Connect M6e 5g, Connect M6e 5g Firmware, Connect M6e 5g Portable Wifi Router | 2026-06-08 | 5.3 Medium |
| Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links. | ||||
| CVE-2026-50214 | 1 Acer | 3 Connect M6e 5g, Connect M6e 5g Firmware, Connect M6e 5g Portable Wifi Router | 2026-06-08 | 9.8 Critical |
| The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. | ||||
| CVE-2026-50752 | 2026-06-08 | 7.4 High | ||
| A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN site-to-site connections that use certificate-based authentication. Successful exploitation could allow interception or modification of traffic traversing the VPN tunnel. | ||||
| CVE-2026-11499 | 1 Tenda | 2 Hg10, Hg7hg9 | 2026-06-08 | 9.8 Critical |
| A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. The attack may be performed from remote. | ||||
| CVE-2017-7563 | 1 Trustedfirmware | 1 Trusted Firmware-a | 2026-06-08 | 8.1 High |
| In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 Secure EL1, allowing attackers to bypass the MT_EXECUTE_NEVER protection mechanism. This issue occurs because of inconsistency in the number of execute-never bits (one bit versus two bits). | ||||
| CVE-2017-7564 | 1 Trustedfirmware | 1 Trusted Firmware-a | 2026-06-08 | 7.5 High |
| In ARM Trusted Firmware through 1.3, the secure self-hosted invasive debug interface allows normal world attackers to cause a denial of service (secure world panic) via vectors involving debug exceptions and debug registers. | ||||
| CVE-2021-32032 | 1 Trustedfirmware | 1 Trusted Firmware-m | 2026-06-08 | 7.5 High |
| In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak. | ||||
| CVE-2026-49201 | 1 Acer | 3 Wave 7, Wave 7 Firmware, Wave 7 Router | 2026-06-08 | 9.8 Critical |
| The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. | ||||
| CVE-2026-49198 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-08 | 4.9 Medium |
| Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. | ||||
| CVE-2026-49197 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-08 | 9.8 Critical |
| Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. | ||||
| CVE-2026-49196 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-08 | 7.2 High |
| The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. | ||||
| CVE-2026-49195 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-08 | 8.8 High |
| Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. | ||||
| CVE-2026-49200 | 1 Acer | 3 Wave 7, Wave 7 Firmware, Wave 7 Router | 2026-06-08 | 9.8 Critical |
| The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access. | ||||
| CVE-2026-3109 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-06-08 | 2.2 Low |
| Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584 | ||||
| CVE-2026-3116 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-06-08 | 4.9 Medium |
| Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589 | ||||
| CVE-2026-4482 | 2 Microsoft, Rapid7 | 2 Windows, Insight Agent | 2026-06-08 | 5.5 Medium |
| The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent identity material to any locally authenticated standard user. | ||||
| CVE-2026-11462 | 1 Chengdu Everbrite Network Technology | 2 Beike Shop, Beikeshop | 2026-06-08 | 7.3 High |
| A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue. | ||||
| CVE-2026-11513 | 1 Itsourcecode | 1 Hospital Management System | 2026-06-08 | 6.3 Medium |
| A vulnerability was detected in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminaccount.php. The manipulation of the argument Date results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. | ||||