Export limit exceeded: 345221 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345221 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6388 | 1 Redhat | 1 Openshift Gitops | 2026-04-17 | 9.1 Critical |
| A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates. | ||||
| CVE-2026-41082 | 1 Ocaml | 1 Ocaml | 2026-04-17 | 7.3 High |
| In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. | ||||
| CVE-2026-5598 | 1 Bouncycastle | 1 Bc-java | 2026-04-17 | 7.5 High |
| Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84. | ||||
| CVE-2026-3505 | 1 Bouncycastle | 1 Bc-java | 2026-04-17 | N/A |
| Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion. | ||||
| CVE-2026-34186 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30806 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-34454 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-17 | 3.5 Low |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2 | ||||
| CVE-2026-23891 | 1 Decidim | 1 Decidim | 2026-04-17 | N/A |
| Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1. | ||||
| CVE-2026-32316 | 1 Jqlang | 1 Jq | 2026-04-17 | 8.2 High |
| jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5. | ||||
| CVE-2026-34160 | 1 Chamilo | 1 Chamilo Lms | 2026-04-17 | 8.6 High |
| Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3. | ||||
| CVE-2025-69624 | 1 Nitro | 1 Pdf Pro | 2026-04-17 | 7.5 High |
| Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. | ||||
| CVE-2026-30999 | 1 Ffmpeg | 1 Ffmpeg | 2026-04-17 | 7.5 High |
| A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||||
| CVE-2026-33534 | 1 Espocrm | 1 Espocrm | 2026-04-17 | 4.3 Medium |
| EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4. | ||||
| CVE-2026-34188 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-38530 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 8.1 High |
| A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-28291 | 1 Steveukx | 1 Git-js | 2026-04-17 | 8.1 High |
| simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0. | ||||
| CVE-2025-63743 | 1 Grokability | 1 Snipe-it | 2026-04-17 | 5.4 Medium |
| Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2. | ||||
| CVE-2026-24907 | 1 Octobercms | 1 October | 2026-04-17 | N/A |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure. | ||||
| CVE-2026-38529 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 8.8 High |
| A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||||
| CVE-2026-25125 | 1 Octobercms | 1 October | 2026-04-17 | 4.9 Medium |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network. | ||||