Export limit exceeded: 352091 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352091 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44051 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 8.1 High |
| An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation. | ||||
| CVE-2026-2734 | 1 Mlflow | 1 Mlflow/mlflow | 2026-05-21 | 6.5 Medium |
| In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0. | ||||
| CVE-2026-22880 | 1 Mattermost | 1 Mattermost | 2026-05-21 | 6.1 Medium |
| Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564 | ||||
| CVE-2026-44053 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 7.4 High |
| Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack. | ||||
| CVE-2026-5433 | 2026-05-21 | 9.1 Critical | ||
| Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE). | ||||
| CVE-2026-44054 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 6.5 Medium |
| Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism. | ||||
| CVE-2023-4406 | 1 Kc Group E-commerce Software Project | 1 Kc Group E-commerce Software | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS. This issue affects E-Commerce Software: through 20231123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-44074 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 3.7 Low |
| Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths. | ||||
| CVE-2023-4530 | 1 Turnatasarim | 1 Advertising Administration Panel | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Turna Advertising Administration Panel allows SQL Injection. This issue affects Advertising Administration Panel: before 1.1. | ||||
| CVE-2026-44055 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 7.5 High |
| A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code. | ||||
| CVE-2023-4531 | 1 Mestav | 1 E-commerce Software | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestav Software E-commerce Software allows SQL Injection. This issue affects E-commerce Software: before 20230901 . | ||||
| CVE-2023-4541 | 1 Ween | 1 Management Panel | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection. This issue affects Admin Panel: through 20231229. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-35008 | 1 Openises | 1 Tickets | 2026-05-21 | 4.6 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited. | ||||
| CVE-2026-42002 | 1 Powerdns | 1 Authoritative | 2026-05-21 | 5.9 Medium |
| Concurrency and locking defects in GSS-TSIG | ||||
| CVE-2026-35014 | 1 Openises | 1 Tickets | 2026-05-21 | 4.6 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | ||||
| CVE-2023-4661 | 1 Adobe | 1 Connect | 2026-05-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saphira Saphira Connect allows SQL Injection. This issue affects Saphira Connect: before 9. | ||||
| CVE-2026-4811 | 2 Wordpress, Wpbean | 2 Wordpress, Wpb Floating Menu Or Categories – Sticky Floating Side Menu & Categories With Icons | 2026-05-21 | 4.9 Medium |
| The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-4662 | 1 Adobe | 1 Connect | 2026-05-21 | 9.8 Critical |
| Execution with Unnecessary Privileges vulnerability in Saphira Saphira Connect allows Remote Code Inclusion. This issue affects Saphira Connect: before 9. | ||||
| CVE-2026-44056 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 6 Medium |
| A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data. | ||||
| CVE-2026-44058 | 1 Netatalk | 1 Netatalk | 2026-05-21 | 6.4 Medium |
| An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism. | ||||