Export limit exceeded: 366632 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (366632 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-61464 1 Imagemagick 1 Imagemagick 2026-07-15 1.8 Low
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a heap-based buffer over-write vulnerability that occurs when running an X11 import with a crafted window title, which can result in heap memory corruption and denial of service.
CVE-2026-61860 1 Imagemagick 1 Imagemagick 2026-07-15 3.7 Low
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already freed. This can be triggered during image processing and may lead to a denial of service.
CVE-2026-61864 1 Imagemagick 1 Imagemagick 2026-07-15 2.9 Low
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in color transformation to the log colorspace: when the operation fails, a small amount of memory is not released.
CVE-2026-61865 1 Imagemagick 1 Imagemagick 2026-07-15 2.9 Low
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the hough lines operation: when a specific operation fails, a small memory leak occurs.
CVE-2026-61643 1 Labring 1 Fastgpt 2026-07-15 5.9 Medium
FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user's private HTTP toolset by using a crafted saved tool id such as http-<victim_toolset_app_id>/<tool_name>. The normal toolset routes deny access, but the workflow save and runtime path did not apply the same authorization check to the referenced toolset, allowing /api/v2/chat/completions to resolve the saved reference and execute the victim-owned HTTP tool. This issue is fixed in version 4.15.0-beta5.
CVE-2026-61443 2 Mervinpraison, Praison 2 Praisonai, Praisonai 2026-07-15 8.1 High
PraisonAI before 1.6.78 contains a remote code execution vulnerability in SkillTools.run_skill_script() that executes scripts without path containment validation. Attackers can supply absolute file paths to execute arbitrary scripts from any filesystem location, including those outside the intended working directory.
CVE-2026-61457 1 Getgrav 1 Grav 2026-07-15 8.8 High
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final file extension via pathinfo($filename, PATHINFO_EXTENSION), so a user with api.media.write permission can upload a file with a double extension such as shell.php.jpg to bypass the dangerous extensions blocklist. The web server may then execute the file as PHP, resulting in remote code execution.
CVE-2026-61867 1 Imagemagick 1 Imagemagick 2026-07-15 2.9 Low
ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the TIFF encoder when memory allocation fails. Attackers can trigger allocation failures during TIFF image processing to cause memory exhaustion and denial of service.
CVE-2026-61871 1 Imagemagick 1 Imagemagick 2026-07-15 3.7 Low
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service.
CVE-2025-32781 1 Apolloconfig 1 Apollo 2026-07-15 6.5 Medium
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId} while configView.memberOnly.envs is enabled, allowing a low-privileged Portal user who obtains or guesses a valid releaseId to read configuration data from other applications and namespaces without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...). This issue is fixed in version 2.5.0.
CVE-2026-1562 1 Pegasystems 1 Pega Infinity 2026-07-15 N/A
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
CVE-2026-50562 1 Labring 1 Fastgpt 2026-07-15 N/A
FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged workflow_run jobs in .github/workflows/preview-docs-push.yml and .github/workflows/preview-fastgpt-push.yml, allowing attacker-controlled Docker images from the document/ tree or FastGPT build context to be pushed to GHCR and, for documentation previews, deployed with secrets.KUBE_CONFIG_CN.
CVE-2026-50684 1 Microsoft 8 Windows 10 1607, Windows 10 1809, Windows Server 2012 and 5 more 2026-07-15 4.8 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.
CVE-2026-50649 1 Microsoft 2 .net, Visual Studio 2026 2026-07-15 7.8 High
Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally.
CVE-2026-47304 1 Microsoft 3 .net, Visual Studio 2022, Visual Studio 2026 2026-07-15 8.1 High
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-24243 1 Nvidia 1 Megatron-bridge 2026-07-15 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-24244 1 Nvidia 1 Megatron-bridge 2026-07-15 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-24248 1 Nvidia 1 Megatron-bridge 2026-07-15 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-24249 1 Nvidia 1 Megatron-bridge 2026-07-15 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-61836 1 Directus 1 Directus 2026-07-15 8.6 High
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.