Export limit exceeded: 362578 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 362578 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (362578 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57962 | 1 Mozilla | 1 Thunderbird | 2026-07-01 | N/A |
| A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1. | ||||
| CVE-2026-20463 | 2026-07-01 | 6.7 Medium | ||
| In Modem, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: MOLY01716533; Issue ID: MSV-6309. | ||||
| CVE-2026-14106 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-10585 | 1 Github | 1 Enterprise Server | 2026-07-01 | N/A |
| A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2026-9106 | 1 Github | 1 Enterprise Server | 2026-07-01 | N/A |
| A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2026-12579 | 2026-07-01 | 7.4 High | ||
| AS228T with Authentication Bypass Vulnerability | ||||
| CVE-2026-11562 | 2026-07-01 | 4.3 Medium | ||
| The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings. | ||||
| CVE-2026-11570 | 2026-07-01 | 4.2 Medium | ||
| The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled. | ||||
| CVE-2026-50043 | 2026-07-01 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege. | ||||
| CVE-2026-12575 | 1 Deltaww | 1 Dvp80es3 | 2026-07-01 | 7.5 High |
| DVP80ES3 with Improper Resource Shutdown or Release vulnerability. | ||||
| CVE-2026-12576 | 1 Deltaww | 1 Dvp80es3 | 2026-07-01 | 7.5 High |
| DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability. | ||||
| CVE-2026-10539 | 2026-07-01 | 9 Critical | ||
| A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions. | ||||
| CVE-2026-10538 | 2026-07-01 | 8 High | ||
| Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content. | ||||
| CVE-2026-13948 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium) | ||||
| CVE-2026-13957 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Incorrect security UI in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13968 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Insufficient validation of untrusted input in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium) | ||||
| CVE-2026-13979 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14043 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Use after free in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-14055 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-14083 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Insufficient validation of untrusted input in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||||