Export limit exceeded: 355836 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355836 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66586 | 1 Azeotech | 1 Daqfactory | 2026-06-04 | 7.8 High |
| In AzeoTech DAQFactory release 20.7 (Build 2555), an access of resource using incompatible type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | ||||
| CVE-2026-10870 | 1 Shibby | 1 Tomato | 2026-06-04 | 7.2 High |
| A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato. | ||||
| CVE-2026-8881 | 2026-06-04 | 7.5 High | ||
| Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching. | ||||
| CVE-2025-69755 | 2026-06-04 | 8.2 High | ||
| An issue in Neterbit NW-431F Router vNW-431F-20241014-IR03 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted command to the at_command.asp interface | ||||
| CVE-2026-41235 | 1 Froxlor | 1 Froxlor | 2026-06-04 | N/A |
| Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue. | ||||
| CVE-2025-14771 | 1 Abb | 1 T-mac Plus | 2026-06-04 | 9.9 Critical |
| Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | ||||
| CVE-2025-14772 | 1 Abb | 1 T-mac Plus | 2026-06-04 | 8.8 High |
| Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | ||||
| CVE-2025-66585 | 1 Azeotech | 1 Daqfactory | 2026-06-04 | 7.8 High |
| In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | ||||
| CVE-2025-14773 | 1 Abb | 1 T-mac Plus | 2026-06-04 | 8 High |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | ||||
| CVE-2025-14774 | 1 Abb | 1 T-mac Plus | 2026-06-04 | 7.4 High |
| Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | ||||
| CVE-2025-12659 | 1 Siemens | 1 Simcenter Femap | 2026-06-04 | 7.8 High |
| Siemens Simcenter Femap contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. | ||||
| CVE-2026-7774 | 1 Python | 1 Cpython | 2026-06-04 | N/A |
| tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. | ||||
| CVE-2026-49941 | 2026-06-04 | 7.5 High | ||
| Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service. | ||||
| CVE-2026-49448 | 1 Goauthentik | 1 Authentik | 2026-06-04 | 9.8 Critical |
| authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1. | ||||
| CVE-2026-49443 | 1 Goauthentik | 1 Authentik | 2026-06-04 | 8.8 High |
| authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1. | ||||
| CVE-2026-47201 | 1 Goauthentik | 1 Authentik | 2026-06-04 | 8.5 High |
| authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1. | ||||
| CVE-2026-1341 | 1 Avation | 1 Light Engine Pro | 2026-06-04 | N/A |
| Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | ||||
| CVE-2025-54808 | 2 Nanoporetech, Oxford Nano Technologies | 2 Minknow, Minknow | 2026-06-04 | 7.8 High |
| Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms. | ||||
| CVE-2026-42849 | 1 Goauthentik | 1 Authentik | 2026-06-04 | 9.3 Critical |
| authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3. | ||||
| CVE-2025-54807 | 1 Doverfuelingsolutions | 1 Progauge Maglink Lx Console | 2026-06-04 | 9.8 Critical |
| The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system. | ||||