Export limit exceeded: 360133 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 360133 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (360133 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-38717 | 2026-06-23 | 9.8 Critical | ||
| InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | ||||
| CVE-2025-61018 | 2026-06-23 | 7.5 High | ||
| An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | ||||
| CVE-2025-61020 | 2026-06-23 | 7.5 High | ||
| An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | ||||
| CVE-2025-61024 | 2026-06-23 | 7.5 High | ||
| An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | ||||
| CVE-2025-61029 | 2026-06-23 | 7.5 High | ||
| An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | ||||
| CVE-2025-61028 | 2026-06-23 | N/A | ||
| An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | ||||
| CVE-2026-34915 | 1 Revive | 1 Adserver | 2026-06-23 | N/A |
| A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated. | ||||
| CVE-2026-44959 | 1 Revive | 1 Adserver | 2026-06-23 | N/A |
| A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery. Input sanitisation has been improved to ensure that unexpected parameters are filtered out. | ||||
| CVE-2026-44961 | 1 Revive | 1 Adserver | 2026-06-23 | N/A |
| The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing. | ||||
| CVE-2026-34914 | 1 Revive | 1 Adserver | 2026-06-23 | N/A |
| A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated. | ||||
| CVE-2026-34916 | 1 Revive-adserver | 1 Revive Adserver | 2026-06-23 | N/A |
| A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on the database and have it executed during banner delivery. Input sanitisation has been improved to ensure that the parameter is properly validated. | ||||
| CVE-2026-56968 | 1 Gnu | 1 Gnu Sasl | 2026-06-23 | 3.7 Low |
| GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server. | ||||
| CVE-2026-54318 | 1 Home-assistant | 1 Core | 2026-06-23 | 7.1 High |
| Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3. | ||||
| CVE-2020-9713 | 1 Adobe | 1 Acrobat Reader | 2026-06-23 | 5.5 Medium |
| Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-52845 | 1 Caddyserver | 1 Caddy | 2026-06-23 | 8.1 High |
| Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4. | ||||
| CVE-2020-9695 | 1 Adobe | 1 Acrobat Reader | 2026-06-23 | 7.8 High |
| Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-12164 | 2026-06-23 | 4.4 Medium | ||
| Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles or role-permission relationships. | ||||
| CVE-2026-7842 | 2026-06-23 | 6.8 Medium | ||
| The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page. | ||||
| CVE-2026-8163 | 2026-06-23 | 8.8 High | ||
| The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above. | ||||
| CVE-2026-48493 | 2026-06-23 | 5.5 Medium | ||
| Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0. | ||||