Export limit exceeded: 364625 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364625 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364625 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364625 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-33264 1 Apache 1 Airflow 2026-07-10 9.8 Critical
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.
CVE-2026-11340 1 Havelsan 1 Liman Mys 2026-07-10 8.3 High
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107.
CVE-2026-11348 1 Havelsan 1 Liman Mys 2026-07-10 8.1 High
Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data. This issue affects Liman MYS: before release.Master.1107.
CVE-2026-13696 1 Havelsan 1 Liman Mys 2026-07-10 8.8 High
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection. This issue affects Liman MYS: before release.Master.1107.
CVE-2011-10043 1 Bingos 1 Module::load 2026-07-10 9.8 Critical
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
CVE-2026-6101 2 Mohammed Kaludi, Wordpress 2 Amp For Wp – Accelerated Mobile Pages, Wordpress 2026-07-10 7.5 High
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, potentially leading to remote code execution on hosts that execute PHP files in the uploads directory.
CVE-2026-12352 1 Digi International 2 Digi One Sp / Sp Ia / Ia, Portserver Ts 1/2/4 2026-07-10 5.9 Medium
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
CVE-2026-12948 1 Digi International 4 Digi One Ia, Digi One Sp, Digi One Sp Ia and 1 more 2026-07-10 N/A
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
CVE-2026-14935 2 Gstreamer, Redhat 2 Gstreamer, Enterprise Linux 2026-07-10 3.7 Low
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.
CVE-2026-57851 1 Msi 1 Kerncorelib64.sys 2026-07-10 7.8 High
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
CVE-2026-48954 1 Joomla 1 Joomla! 2026-07-10 N/A
Improper validation leads to a generic XSS vector in the language override feature.
CVE-2026-48949 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVE-2026-48948 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
CVE-2026-48953 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
CVE-2026-48951 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVE-2026-48957 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to access com_privacy datasets.
CVE-2026-48956 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows users to display a list of modules in the frontend.
CVE-2026-48955 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to access workflow stage and transition information.
CVE-2026-48950 1 Joomla 1 Joomla! 2026-07-10 N/A
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVE-2026-48958 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to create custom fields via webservices endpoints.