Export limit exceeded: 348781 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348781 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47404 | 1 Qualcomm | 377 215 Mobile, 215 Mobile Firmware, 5g Fixed Wireless Access and 374 more | 2026-05-06 | 6.5 Medium |
| Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified. | ||||
| CVE-2025-47405 | 1 Qualcomm | 33 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 30 more | 2026-05-06 | 7.8 High |
| Memory corruption when processing camera sensor input/output control codes with invalid output buffers. | ||||
| CVE-2025-47408 | 1 Qualcomm | 41 Fastconnect 6200, Fastconnect 6200 Firmware, Fastconnect 6900 and 38 more | 2026-05-06 | 7.8 High |
| Memory corruption when another driver calls an IOCTL with invalid input/output buffer. | ||||
| CVE-2025-47406 | 1 Qualcomm | 63 Cologne, Cologne Firmware, Fastconnect 6700 and 60 more | 2026-05-06 | 6.1 Medium |
| Information Disclosure while processing IOCTL handler callbacks without verifying buffer size. | ||||
| CVE-2025-47407 | 1 Qualcomm | 201 Cq7790, Cq7790 Firmware, Cq8725s and 198 more | 2026-05-06 | 7.8 High |
| Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level. | ||||
| CVE-2026-24082 | 1 Qualcomm | 353 Ar8031, Ar8031 Firmware, Ar8035 and 350 more | 2026-05-06 | 7.8 High |
| Memory Corruption when copying data from a freed source while executing performance counter deselect operation. | ||||
| CVE-2026-25266 | 1 Qualcomm | 49 Cologne, Cologne Firmware, Fastconnect 6900 and 46 more | 2026-05-06 | 5.5 Medium |
| Memory corruption while processing IOCTL command when device is in power-save state. | ||||
| CVE-2026-23653 | 1 Microsoft | 2 Github Copilot Chat, Visual Studio Code Copilot Chat Extension | 2026-05-06 | 5.7 Medium |
| Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-25293 | 1 Qualcomm | 3 Qca7005, Qca7005 Firmware, Snapdragon | 2026-05-06 | 9.6 Critical |
| Buffer overflow due to incorrect authorization in PLC FW | ||||
| CVE-2026-40682 | 1 Apache | 1 Opennlp | 2026-05-06 | 9.1 Critical |
| XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser. | ||||
| CVE-2026-42027 | 1 Apache | 1 Opennlp | 2026-05-06 | 9.8 Critical |
| Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization. | ||||
| CVE-2026-23708 | 1 Fortinet | 3 Fortisoar, Fortisoaron-premise, Fortisoarpaas | 2026-05-06 | 6.7 Medium |
| A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity. | ||||
| CVE-2026-38431 | 1 Erpnext | 1 Erpnext | 2026-05-06 | 9.8 Critical |
| ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | ||||
| CVE-2026-38432 | 1 Erpnext | 1 Erpnext | 2026-05-06 | 6.1 Medium |
| ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | ||||
| CVE-2026-38947 | 1 Fluentcms | 1 Fluentcms | 2026-05-06 | 6.1 Medium |
| FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | ||||
| CVE-2026-20195 | 2026-05-06 | 5.3 Medium | ||
| A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. | ||||
| CVE-2026-43148 | 1 Linux | 1 Linux Kernel | 2026-05-06 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: Add check for kcalloc() failure in parse_thread_groups() As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). | ||||
| CVE-2026-43151 | 1 Linux | 1 Linux Kernel | 2026-05-06 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: Revert "media: iris: Add sanity check for stop streaming" This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4. Revert the check that skipped stop_streaming when the instance was in IRIS_INST_ERROR, as it caused multiple regressions: 1. Buffers were not returned to vb2 when the instance was already in error state, triggering warnings in the vb2 core because buffer completion was skipped. 2. If a session failed early (e.g. unsupported configuration), the instance transitioned to IRIS_INST_ERROR. When userspace attempted to stop streaming for cleanup, stop_streaming was skipped due to the added check, preventing proper teardown and leaving the firmware in an inconsistent state. | ||||
| CVE-2026-20168 | 2026-05-06 | 6.5 Medium | ||
| A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access. | ||||
| CVE-2025-29165 | 1 Dlink | 2 Dir-1253, Dir-1253 Firmware | 2026-05-06 | 9.8 Critical |
| An issue in D-Link DIR-1253 MESH V1.6.1684 allows an attacker to escalate privileges via the etc/shadow.sample component | ||||