Export limit exceeded: 344019 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344019 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34446 | 1 Onnx | 1 Onnx | 2026-04-03 | 4.7 Medium |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0. | ||||
| CVE-2026-34513 | 1 Aio-libs | 1 Aiohttp | 2026-04-03 | 3.7 Low |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4. | ||||
| CVE-2026-34525 | 1 Aio-libs | 1 Aiohttp | 2026-04-03 | 5.4 Medium |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. | ||||
| CVE-2026-34531 | 1 Miguelgrinberg | 1 Flask-httpauth | 2026-04-03 | 6.5 Medium |
| Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1. | ||||
| CVE-2026-5321 | 1 Vanna-ai | 1 Vanna | 2026-04-03 | 4.3 Medium |
| A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5319 | 1 Itsourcecode | 1 Payroll Management System | 2026-04-03 | 4.3 Medium |
| A security vulnerability has been detected in itsourcecode Payroll Management System up to 1.0. Affected is an unknown function of the file /navbar.php. Such manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-5325 | 1 Sourcecodester | 1 Simple Customer Relationship Management System | 2026-04-03 | 3.5 Low |
| A vulnerability was determined in SourceCodester Simple Customer Relationship Management System 1.0. This issue affects some unknown processing of the file /create-ticket.php of the component Create Ticket. This manipulation of the argument Description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-34447 | 1 Onnx | 1 Onnx | 2026-04-03 | 5.5 Medium |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0. | ||||
| CVE-2026-34514 | 1 Aio-libs | 1 Aiohttp | 2026-04-03 | 5.3 Medium |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. | ||||
| CVE-2026-21765 | 1 Hcltech | 1 Bigfix Platform | 2026-04-03 | 8.8 High |
| HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions. | ||||
| CVE-2026-29131 | 1 Seppmail | 1 Seppmail Secure Email Gateway | 2026-04-03 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users. | ||||
| CVE-2026-29139 | 1 Seppmail | 1 Seppmail Secure Email Gateway | 2026-04-03 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password. | ||||
| CVE-2026-33613 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-03 | 7.2 High |
| Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table. | ||||
| CVE-2026-33614 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-03 | 7.5 High |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | ||||
| CVE-2026-23415 | 1 Linux | 1 Linux Kernel | 2026-04-03 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put(). | ||||
| CVE-2026-5315 | 1 Nothings | 1 Stb | 2026-04-03 | 4.3 Medium |
| A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulation can lead to out-of-bounds read. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5317 | 1 Nothings | 1 Stb | 2026-04-03 | 6.3 Medium |
| A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-34517 | 1 Aio-libs | 1 Aiohttp | 2026-04-03 | 3.7 Low |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4. | ||||
| CVE-2026-29135 | 1 Seppmail | 1 Seppmail Secure Email Gateway | 2026-04-03 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization. | ||||
| CVE-2026-34559 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-03 | 9.1 Critical |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0. | ||||