Export limit exceeded: 74696 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (74696 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34222 | 1 Open-webui | 1 Open-webui | 2026-04-02 | 7.7 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11. | ||||
| CVE-2026-34236 | 1 Auth0 | 1 Auth0-php | 2026-04-02 | 8.2 High |
| Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0. | ||||
| CVE-2026-34376 | 1 Mrmn2 | 1 Pdfding | 2026-04-02 | 7.5 High |
| PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0. | ||||
| CVE-2026-34445 | 1 Onnx | 1 Onnx | 2026-04-02 | 8.6 High |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0. | ||||
| CVE-2026-27489 | 1 Onnx | 1 Onnx | 2026-04-02 | 8.6 High |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0. | ||||
| CVE-2026-34746 | 1 Payloadcms | 1 Payload | 2026-04-02 | 7.7 High |
| Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1. | ||||
| CVE-2026-34747 | 1 Payloadcms | 1 Payload | 2026-04-02 | 8.5 High |
| Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1. | ||||
| CVE-2026-34748 | 1 Payloadcms | 1 Payload | 2026-04-02 | 8.7 High |
| Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0. | ||||
| CVE-2026-34529 | 1 Filebrowser | 1 Filebrowser | 2026-04-02 | 7.6 High |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2. | ||||
| CVE-2026-34528 | 1 Filebrowser | 1 Filebrowser | 2026-04-02 | 8.1 High |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2. | ||||
| CVE-2026-32286 | 1 Jackc | 1 Pgproto3 | 2026-04-02 | 7.5 High |
| The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic. | ||||
| CVE-2025-43257 | 2026-04-02 | 8.7 High | ||
| This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox. | ||||
| CVE-2024-44303 | 2026-04-02 | 7.5 High | ||
| The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1. A malicious application may be able to modify protected parts of the file system. | ||||
| CVE-2024-44286 | 2026-04-02 | 7.5 High | ||
| This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access can input keyboard events to apps running on a locked device. | ||||
| CVE-2024-44219 | 2026-04-02 | 7.5 High | ||
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. A malicious application with root privileges may be able to access private information. | ||||
| CVE-2024-40858 | 2026-04-02 | 7.1 High | ||
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent. | ||||
| CVE-2024-40849 | 2026-04-02 | 7.5 High | ||
| A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to break out of its sandbox. | ||||
| CVE-2026-34352 | 1 Tigervnc | 1 Tigervnc | 2026-04-02 | 8.5 High |
| In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions. | ||||
| CVE-2026-34572 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-02 | 8.8 High |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0. | ||||
| CVE-2026-32925 | 1 Fujielectric | 1 V-sft | 2026-04-02 | 7.8 High |
| V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product. | ||||