Export limit exceeded: 359813 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359813 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47645 | 1 Microsoft | 1 365 Copilot | 2026-06-22 | 8.8 High |
| Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-3640 | 2 Strablengineering, Wordpress | 2 Strabl – A Checkout Solution, Wordpress | 2026-06-22 | 5.3 Medium |
| The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials. | ||||
| CVE-2026-8646 | 1 Ibm | 2 Websphere Application Server, Websphere Application Server Liberty | 2026-06-22 | 7.4 High |
| IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information. | ||||
| CVE-2026-9610 | 1 Ibm | 2 Datacap, Datacap Navigator | 2026-06-22 | 2.3 Low |
| IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls. | ||||
| CVE-2026-56410 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 6.9 Medium |
| xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId. | ||||
| CVE-2026-4328 | 2 Addonspress, Wordpress | 2 Advanced Import, Wordpress | 2026-06-22 | 6.4 Medium |
| The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints. | ||||
| CVE-2026-56409 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 6.5 Medium |
| xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used. | ||||
| CVE-2026-10779 | 2026-06-22 | 4.3 Medium | ||
| The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own. | ||||
| CVE-2026-56408 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 6.9 Medium |
| libexpat before 2.8.2 has an integer overflow in copyString. | ||||
| CVE-2026-56407 | 1 Libexpat Project | 1 Libexpat | 2026-06-22 | 6.9 Medium |
| libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. | ||||
| CVE-2026-3195 | 2 Qemu, Redhat | 3 Qemu, Enterprise Linux, Openshift | 2026-06-22 | 7.4 High |
| A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730. | ||||
| CVE-2026-3196 | 2 Qemu, Redhat | 3 Qemu, Enterprise Linux, Openshift | 2026-06-22 | 5.5 Medium |
| An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. | ||||
| CVE-2026-9375 | 1 Urllib3 | 1 Urllib3 | 2026-06-22 | N/A |
| urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources. | ||||
| CVE-2026-56075 | 1 Praison | 1 Praisonai | 2026-06-22 | 8.8 High |
| PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate and insufficient command sanitization blocklists. | ||||
| CVE-2026-12602 | 2026-06-22 | N/A | ||
| Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity. | ||||
| CVE-2026-12804 | 1 Lemonldap-ng | 1 Lemonldap-ng | 2026-06-22 | 4.3 Medium |
| A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue. The vendor confirms, that "it has been fixed some days ago and will be available in 2.23.1. CDC is quite never used, so the impact is very low." | ||||
| CVE-2026-49454 | 1 Sztheory | 1 Relyra | 2026-06-22 | 9.1 Critical |
| Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate's public key, DigestValue was not recomputed over the canonicalized referenced element, and canonicalize/2 remained an unused passthrough in the signature-verification path. The result was a structure-only acceptance path where document shape and trust-source rejection could succeed without proving the signature bytes. A forged SignatureValue carrying an attacker-controlled NameID could be accepted as {:ok}. This issue has been fixed in version 1.2.0. | ||||
| CVE-2026-6653 | 1 Gnome | 1 Libxml2 | 2026-06-22 | N/A |
| Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling. | ||||
| CVE-2025-62198 | 1 Apache | 1 Atlas | 2026-06-22 | 5.4 Medium |
| An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue. | ||||
| CVE-2025-66336 | 1 Apache | 1 Doris Mcp Server | 2026-06-22 | 8.1 High |
| Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue. | ||||