Export limit exceeded: 347829 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (347829 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25269 | 1 Icewarp | 1 Icewarp | 2026-04-22 | 6.1 Medium |
| ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. | ||||
| CVE-2026-1354 | 1 Zero Motorcycles | 1 Zero Motorcycles Firmware | 2026-04-22 | 6.4 Medium |
| Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update. | ||||
| CVE-2026-33611 | 1 Powerdns | 1 Authoritative | 2026-04-22 | 6.5 Medium |
| An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | ||||
| CVE-2026-6832 | 1 Nesquena | 1 Hermes-webui | 2026-04-22 | 8.1 High |
| Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system. | ||||
| CVE-2026-6416 | 1 Tanium | 2 Interact, Service Interact | 2026-04-22 | 2.7 Low |
| Tanium addressed an uncontrolled resource consumption vulnerability in Interact. | ||||
| CVE-2026-40706 | 1 Tuxera | 1 Ntfs-3g | 2026-04-22 | 8.4 High |
| In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs. | ||||
| CVE-2026-6823 | 1 Hkuds | 1 Openharness | 2026-04-22 | 8.2 High |
| HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools. | ||||
| CVE-2026-41458 | 1 Owntone | 1 Server | 2026-04-22 | N/A |
| OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication. | ||||
| CVE-2026-41457 | 1 Owntone | 1 Owntone-server | 2026-04-22 | N/A |
| OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data. | ||||
| CVE-2026-6829 | 1 Nesquena | 1 Hermes-webui | 2026-04-22 | 6.3 Medium |
| nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process. | ||||
| CVE-2019-25714 | 1 Seeyon Internet Software | 2 A8+ Collaborative Management Software, A8-v5 Collaborative Management Software | 2026-04-22 | N/A |
| Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC). | ||||
| CVE-2026-6830 | 1 Nesquena | 1 Hermes-webui | 2026-04-22 | 3.3 Low |
| nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles. | ||||
| CVE-2026-41456 | 1 Bludit | 1 Bludit | 2026-04-22 | N/A |
| Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users. | ||||
| CVE-2026-35451 | 1 Twenty | 1 Twenty | 2026-04-22 | 5.7 Medium |
| Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6. | ||||
| CVE-2026-40576 | 1 Haris-musa | 1 Excel-mcp-server | 2026-04-22 | 9.4 Critical |
| excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary — get_excel_path() — fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8. | ||||
| CVE-2026-40611 | 1 Go-acme | 1 Lego | 2026-04-22 | 8.8 High |
| Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0. | ||||
| CVE-2026-40587 | 1 Blueprintue | 1 Blueprintue-self-hosted-edition | 2026-04-22 | 6.5 Medium |
| blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID → session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely — even after the legitimate user has detected the intrusion and changed their password — until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0. | ||||
| CVE-2026-40586 | 1 Blueprintue | 1 Blueprintue-self-hosted-edition | 2026-04-22 | 7.5 High |
| blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0. | ||||
| CVE-2026-40585 | 1 Blueprintue | 1 Blueprintue-self-hosted-edition | 2026-04-22 | 7.4 High |
| blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0. | ||||
| CVE-2026-40588 | 1 Blueprintue | 1 Blueprintue-self-hosted-edition | 2026-04-22 | 8.1 High |
| blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0. | ||||