Export limit exceeded: 351844 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351844 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8766 | 2 Kilo, Kilo-org | 3 Kilo Code, Kilo Code Cli, Kilocode | 2026-05-20 | 4.3 Medium |
| A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-7613 | 2026-05-20 | 7.2 High | ||
| The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-9087 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-05-20 | 6.4 Medium |
| A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account. | ||||
| CVE-2026-45232 | 1 Rsync Project | 1 Rsync | 2026-05-20 | 3.1 Low |
| Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set. | ||||
| CVE-2026-44924 | 2026-05-20 | N/A | ||
| InfoScale VIOM 9.1.3 allows XSS. | ||||
| CVE-2026-24206 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-05-20 | 7.3 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure. | ||||
| CVE-2026-24207 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-05-20 | 9.8 Critical |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | ||||
| CVE-2026-20199 | 2026-05-20 | 4.7 Medium | ||
| A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | ||||
| CVE-2026-31416 | 1 Linux | 1 Linux Kernel | 2026-05-20 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects. | ||||
| CVE-2026-37281 | 1 Hitarth-gg | 1 Zenshin | 2026-05-20 | 9.8 Critical |
| An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter. | ||||
| CVE-2026-24208 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-05-20 | 5.3 Medium |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-34645 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-05-20 | 7.5 High |
| Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-34646 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-05-20 | 7.5 High |
| Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-34647 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-05-20 | 7.4 High |
| Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. | ||||
| CVE-2026-34648 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-05-20 | 7.5 High |
| Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-24209 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-05-20 | 7.5 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-24210 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-05-20 | 7.5 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2023-7345 | 1 Ledger | 2 Hw-app-eth, Ledger Live | 2026-05-20 | 6.5 Medium |
| Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts. | ||||
| CVE-2026-34744 | 1 Mantisbt | 1 Mantisbt | 2026-05-20 | N/A |
| Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2. | ||||
| CVE-2026-6397 | 2 Cvmh, Wordpress | 2 Sticky, Wordpress | 2026-05-20 | 6.4 Medium |
| The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the `cvmh_sticky_front_render()` function — the `readmoretext` attribute value is passed through `apply_filters()` and directly concatenated into the HTML output without any escaping function such as `esc_html()`. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the injected shortcode. | ||||