Search Results (6781 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-35562 4 Amazon, Apple, Linux and 1 more 5 Amazon Athena Odbc Driver, Athena Odbc, Macos and 2 more 2026-04-15 7.5 High
Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations. To remediate this issue, users should upgrade to version 2.1.0.0.
CVE-2026-35558 4 Amazon, Apple, Linux and 1 more 5 Amazon Athena Odbc Driver, Athena Odbc, Macos and 2 more 2026-04-15 7.8 High
Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by the driver during user-initiated authentication. To remediate this issue, users should upgrade to version 2.1.0.0.
CVE-2026-29181 1 Opentelemetry 2 Opentelemetry, Opentelemetry-go 2026-04-15 7.5 High
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
CVE-2026-32588 1 Apache 1 Cassandra 2026-04-15 6.5 Medium
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
CVE-2026-6112 1 Totolink 2 A7100ru, A7100ru Firmware 2026-04-15 9.8 Critical
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVE-2025-14545 2 Icopydoc, Wordpress 2 Yml For Yandex Market, Wordpress 2026-04-15 6.5 Medium
The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.
CVE-2019-25464 1 Dsd Consulting Services 1 Inputmapper 2026-04-15 5.5 Medium
InputMapper 1.6.10 contains a buffer overflow vulnerability in the username field that allows local attackers to crash the application by entering an excessively long string. Attackers can trigger a denial of service by copying a large payload into the username field and double-clicking to process it, causing the application to crash.
CVE-2026-34513 2 Aio-libs, Aiohttp 2 Aiohttp, Aiohttp 2026-04-15 7.5 High
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-34516 2 Aio-libs, Aiohttp 2 Aiohttp, Aiohttp 2026-04-15 7.5 High
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.
CVE-2026-34517 2 Aio-libs, Aiohttp 2 Aiohttp, Aiohttp 2026-04-15 5.3 Medium
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2025-3002 2026-04-15 7.3 High
A vulnerability, which was classified as critical, has been found in Digital China DCME-520 up to 20250320. This issue affects some unknown processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. The manipulation of the argument type_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
CVE-2022-35503 1 Osm 1 N2vc 2026-04-15 7.5 High
Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself.
CVE-2025-1338 1 Nuuo 1 Camera 2026-04-15 7.3 High
A vulnerability was found in NUUO Camera up to 20250203. It has been declared as critical. This vulnerability affects the function print_file of the file /handle_config.php. The manipulation of the argument log leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-24033 1 Fastify 1 Fastify-multipart 2026-04-15 7.5 High
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`.
CVE-2025-50891 2026-04-15 7.2 High
The server-side backend for Adform Site Tracking before 2025-08-28 allows attackers to inject HTML or execute arbitrary code via cookie hijacking. NOTE: a customer does not need to take any action to update locally installed software (such as Adform Site Tracking 1.1).
CVE-2024-5035 2026-04-15 N/A
The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.This issue affects Archer C4500X: through 1_1.1.6.
CVE-2025-23052 2026-04-15 7.2 High
Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system.
CVE-2025-49140 2026-04-15 7.5 High
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: `padLen > 0 && padLen <= payloadLength` and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.
CVE-2023-47356 2026-04-15 8.8 High
Mingyu Security Gateway before v3.0-5.3p was discovered to contain a remote command execution (RCE) vulnerability via the log_type parameter at /log/fw_security.mds.
CVE-2025-4678 2026-04-15 N/A
Improper Neutralization of Special Elements in the chromium_path variable may allow OS command injection. This issue affects Pandora ITSM 5.0.105.