Export limit exceeded: 361070 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361070 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53224 | 1 Linux | 1 Linux Kernel | 2026-06-25 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch. | ||||
| CVE-2026-41566 | 1 Apache | 1 Kvrocks | 2026-06-25 | N/A |
| Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue. | ||||
| CVE-2026-55454 | 1 Appsmith | 1 Appsmith | 2026-06-25 | 9.9 Critical |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1. | ||||
| CVE-2026-57234 | 2026-06-25 | 2.6 Low | ||
| Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4. | ||||
| CVE-2026-53124 | 1 Linux | 1 Linux Kernel | 2026-06-25 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen). | ||||
| CVE-2026-57437 | 2026-06-25 | N/A | ||
| Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4. | ||||
| CVE-2026-42389 | 2026-06-25 | 5.3 Medium | ||
| This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers. | ||||
| CVE-2026-54822 | 2026-06-25 | 8.5 High | ||
| Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions. | ||||
| CVE-2026-54838 | 2026-06-25 | 8.5 High | ||
| Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions. | ||||
| CVE-2026-56023 | 2026-06-25 | 5.4 Medium | ||
| Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions. | ||||
| CVE-2026-52795 | 1 Gogs | 1 Gogs | 2026-06-25 | 4.3 Medium |
| Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content. | ||||
| CVE-2026-57435 | 2026-06-25 | N/A | ||
| Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4. | ||||
| CVE-2026-56042 | 2026-06-25 | 7.1 High | ||
| Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions. | ||||
| CVE-2026-54849 | 2026-06-25 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions. | ||||
| CVE-2026-54841 | 2026-06-25 | 7.5 High | ||
| Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions. | ||||
| CVE-2026-54823 | 2026-06-25 | 9.9 Critical | ||
| Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions. | ||||
| CVE-2026-3437 | 1 Portwell | 2 Engineering Toolkits, Portwell Engineering Toolkits | 2026-06-25 | 8.8 High |
| An improper restriction of operations within the bounds of a memory buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition. | ||||
| CVE-2026-52815 | 1 Gogs | 1 Gogs | 2026-06-25 | N/A |
| Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3. | ||||
| CVE-2026-47733 | 1 Rocketchat | 1 Rocket.chat | 2026-06-25 | 4.4 Medium |
| Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component — which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols — ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0. | ||||
| CVE-2026-42387 | 2026-06-25 | 5.9 Medium | ||
| A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation. | ||||