Export limit exceeded: 358236 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358236 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-45012 | 1 Apostrophecms | 1 Apostrophecms | 2026-06-15 | 7.6 High |
| ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available. | ||||
| CVE-2026-12130 | 1 Codeastro | 1 Human Resource Management System | 2026-06-15 | 3.5 Low |
| A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-46716 | 1 Nezhahq | 1 Nezha | 2026-06-15 | 9.9 Critical |
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8. | ||||
| CVE-2026-48119 | 1 Nezhahq | 1 Nezha | 2026-06-15 | 7.1 High |
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12. | ||||
| CVE-2026-53522 | 1 Nezhahq | 1 Nezha | 2026-06-15 | 6.5 Medium |
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-45501 | 1 Microsoft | 9 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 6 more | 2026-06-15 | 6.5 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-34195 | 1 Imaginationtech | 1 Graphics Ddk | 2026-06-15 | 8.8 High |
| Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping. | ||||
| CVE-2026-41155 | 1 Imaginationtech | 1 Graphics Ddk | 2026-06-15 | 5.5 Medium |
| An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disrupt the operation of another secure GPU process leading to image corruption / GPU hardware recovery. Sharing secure memory allocations among various GPU secure processes allows an attacker to corrupt shared resource affecting other users. | ||||
| CVE-2026-53823 | 1 Openclaw | 1 Openclaw | 2026-06-15 | 8.1 High |
| OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities. | ||||
| CVE-2026-53829 | 1 Openclaw | 1 Openclaw | 2026-06-15 | 8 High |
| OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval. | ||||
| CVE-2026-53834 | 1 Openclaw | 1 Openclaw | 2026-06-15 | 7.5 High |
| OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration. | ||||
| CVE-2026-45502 | 1 Microsoft | 5 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 2 more | 2026-06-15 | 5 Medium |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-45503 | 1 Microsoft | 9 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 6 more | 2026-06-15 | 8.1 High |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-49875 | 1 Apache | 1 Cxf | 2026-06-15 | 6.5 Medium |
| Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. | ||||
| CVE-2026-45504 | 1 Microsoft | 9 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 6 more | 2026-06-15 | 8.8 High |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-47631 | 1 Microsoft | 8 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 5 more | 2026-06-15 | 8.1 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-42897 | 1 Microsoft | 8 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 5 more | 2026-06-15 | 8.1 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-53786 | 1 Microsoft | 6 Exchange, Exchange Server, Exchange Server 2016 and 3 more | 2026-06-15 | 8 High |
| On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. | ||||
| CVE-2026-42984 | 1 Microsoft | 18 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 15 more | 2026-06-15 | 7 High |
| Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-42972 | 1 Microsoft | 26 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 23 more | 2026-06-15 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally. | ||||