Export limit exceeded: 366296 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 366296 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 366296 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 366296 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (86795 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48712 1 Protobuf 1 Protobuf 2026-06-24 7.5 High
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.
CVE-2026-54290 1 Hono 1 Hono 2026-06-24 7.1 High
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.
CVE-2026-44274 1 Dell 1 Wyse Management Suite 2026-06-24 7.8 High
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Link Resolution Before File Access vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
CVE-2026-44272 1 Dell 1 Wyse Management Suite 2026-06-24 8.8 High
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
CVE-2026-44271 1 Dell 1 Wyse Management Suite 2026-06-24 8.1 High
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
CVE-2026-56314 1 Cap-go 1 Cap-go 2026-06-24 7.1 High
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing app_versions.deleted filter in channel version joins.
CVE-2026-56323 1 Cap-go 1 Cap-go 2026-06-24 7.5 High
Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
CVE-2026-56324 1 Cap-go 1 Cap-go 2026-06-24 8.2 High
Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
CVE-2026-48506 1 Messagepack 1 Messagepack-csharp 2026-06-24 7.5 High
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVE-2026-48109 1 Messagepack 1 Messagepack-csharp 2026-06-24 8.2 High
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVE-2025-61018 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2025-61022 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2025-61024 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2025-61025 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2026-39253 1 Pivotal 1 Crm 2026-06-24 8.1 High
An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.
CVE-2025-61020 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2025-61029 1 Openlink 1 Virtuoso-opensource 2026-06-24 7.5 High
An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2026-8163 2 Infility, Wordpress 2 Infility Global, Wordpress 2026-06-24 8.8 High
The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
CVE-2026-8172 2 Wordpress, Wpkube 2 Wordpress, Simple Basic Contact Form 2026-06-24 7.1 High
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
CVE-2023-54365 1 Traefik 2 Traefik, Traefik Enterprise 2026-06-24 7.5 High
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.