Export limit exceeded: 355829 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355829 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5078 | 1 Morgan Project | 1 Morgan | 2026-06-04 | 5.3 Medium |
| Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user. | ||||
| CVE-2025-11959 | 1 Premierturk | 1 Excavation Management Information System | 2026-06-04 | 8.1 High |
| Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue affects Excavation Management Information System: before v.10.2025.01. | ||||
| CVE-2026-44654 | 2 Danny-avila, Librechat | 2 Libre Chat, Librechat | 2026-06-04 | 8.1 High |
| LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents — which the attacker has no access to — break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch. | ||||
| CVE-2026-44653 | 2 Danny-avila, Librechat | 2 Libre Chat, Librechat | 2026-06-04 | 6.5 Medium |
| LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext. | ||||
| CVE-2026-50206 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 6.8 Medium |
| Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files. | ||||
| CVE-2026-50292 | 1 Freedesktop | 1 Libinput | 2026-06-04 | 7.4 High |
| In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution | ||||
| CVE-2026-49942 | 2026-06-04 | 7.3 High | ||
| Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable. | ||||
| CVE-2026-48480 | 2026-06-04 | N/A | ||
| The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue. | ||||
| CVE-2026-40898 | 2026-06-04 | 5.3 Medium | ||
| quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded. | ||||
| CVE-2025-71316 | 2026-06-04 | 9.8 Critical | ||
| SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26. | ||||
| CVE-2026-50207 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 7.8 High |
| The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity. | ||||
| CVE-2026-50208 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 9.4 Critical |
| High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic. | ||||
| CVE-2026-50209 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 7.8 High |
| Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker. | ||||
| CVE-2026-50211 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 9.8 Critical |
| Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | ||||
| CVE-2026-50210 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 7.5 High |
| The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption. | ||||
| CVE-2026-50212 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 6.5 Medium |
| Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service. | ||||
| CVE-2026-50213 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | 7.5 High |
| The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings. | ||||
| CVE-2026-32625 | 2 Danny-avila, Librechat | 2 Libre Chat, Librechat | 2026-06-04 | 9.6 Critical |
| LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1. | ||||
| CVE-2026-42342 | 2 Remix-run, Shopify | 4 React-router, Server-runtime, React-router and 1 more | 2026-06-04 | 7.5 High |
| React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5. | ||||
| CVE-2026-31942 | 2 Danny-avila, Librechat | 2 Libre Chat, Librechat | 2026-06-04 | 7.1 High |
| LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1. | ||||