Export limit exceeded: 351817 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351817 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351817 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8368 | 1 Oalders | 1 Lwp::useragent | 2026-05-19 | 6.5 Medium |
| LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host. | ||||
| CVE-2026-8963 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.5 High |
| Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||||
| CVE-2026-8968 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.5 High |
| Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8969 | 1 Mozilla | 1 Firefox | 2026-05-19 | 8.1 High |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||||
| CVE-2026-8970 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.3 High |
| Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8961 | 1 Mozilla | 1 Firefox | 2026-05-19 | N/A |
| Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8957 | 1 Mozilla | 1 Firefox | 2026-05-19 | 6.5 Medium |
| Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8949 | 1 Mozilla | 1 Firefox | 2026-05-19 | 7.5 High |
| Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | ||||
| CVE-2026-8548 | 1 Google | 1 Chrome | 2026-05-19 | 8.3 High |
| Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-8549 | 1 Google | 1 Chrome | 2026-05-19 | 8.8 High |
| Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-8550 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-05-19 | 6.5 Medium |
| Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-41552 | 1 Dhtmlx | 1 Pdf Export Module | 2026-05-19 | 7.5 High |
| PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF. This issue was fixed in PDF Export Module version 0.7.6. | ||||
| CVE-2026-42304 | 1 Twisted | 1 Twisted | 2026-05-19 | 7.5 High |
| Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2. | ||||
| CVE-2026-24710 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | 6.1 Medium |
| Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS. | ||||
| CVE-2026-36438 | 1 Intelbras | 1 Vip-1230-d-g4 | 2026-05-19 | 5.3 Medium |
| An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | ||||
| CVE-2026-24711 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | 5.3 Medium |
| Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control. | ||||
| CVE-2026-24712 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | 7.3 High |
| Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection. | ||||
| CVE-2026-5804 | 1 Motorola | 1 Phones | 2026-05-19 | 8.4 High |
| An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings. | ||||
| CVE-2026-43634 | 1 Hestiacp | 1 Hestiacp | 2026-05-19 | 7.5 High |
| HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request. | ||||
| CVE-2026-45672 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 8.8 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12. | ||||