Export limit exceeded: 366485 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (86875 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-49081 2 Aiohttp, Redhat 5 Aiohttp, Ansible Automation Platform, Rhui and 2 more 2026-06-23 7.2 High
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
CVE-2023-4781 3 Apple, Debian, Vim 3 Macos, Debian Linux, Vim 2026-06-23 7.8 High
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
CVE-2023-4750 3 Apple, Fedoraproject, Vim 3 Macos, Fedora, Vim 2026-06-23 7.8 High
Use After Free in GitHub repository vim/vim prior to 9.0.1857.
CVE-2023-4736 2 Apple, Vim 2 Macos, Vim 2026-06-23 7.8 High
Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.
CVE-2023-4735 2 Apple, Vim 2 Macos, Vim 2026-06-23 7.8 High
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.
CVE-2023-4734 2 Apple, Vim 2 Macos, Vim 2026-06-23 7.8 High
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.
CVE-2023-4733 3 Apple, Fedoraproject, Vim 3 Macos, Fedora, Vim 2026-06-23 7.8 High
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
CVE-2023-2610 1 Vim 1 Vim 2026-06-23 7.8 High
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.
CVE-2025-71376 2 Mmaitre314, Picklescan 2 Picklescan, Picklescan 2026-06-23 8.1 High
picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims.
CVE-2025-71319 2 Image-size, Image Sizes Project 2 Image-size, Image Sizes 2026-06-23 7.5 High
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
CVE-2026-54283 1 Kludex 1 Starlette 2026-06-23 7.5 High
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
CVE-2026-27942 1 Naturalintelligence 1 Fast-xml-parser 2026-06-23 7.5 High
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
CVE-2025-71341 2 Mmaitre314, Picklescan 2 Picklescan, Picklescan 2026-06-23 8.1 High
picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.
CVE-2011-0627 7 Adobe, Apple, Google and 4 more 7 Flash Player, Mac Os X, Android and 4 more 2026-06-23 8.8 High
Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content, as possibly exploited in the wild in May 2011 by a Microsoft Office document with an embedded .swf file.
CVE-2026-54299 1 Withastro 1 Astro 2026-06-23 7.5 High
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.
CVE-2026-56268 1 Flowiseai 1 Flowise 2026-06-23 7.7 High
Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns not only the chatflows bound to the supplied API key but also all chatflows across every workspace that have no API key assigned, because the underlying query lacks any workspace filter. An attacker with a valid API key for one workspace can therefore retrieve the full ChatFlow configuration (including flowData with system prompts and node configurations, chatbotConfig, apiConfig, and credential IDs) of unprotected chatflows belonging to other workspaces.
CVE-2025-71339 1 Mmaitre314 1 Picklescan 2026-06-23 8.1 High
Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.
CVE-2025-71365 1 Mmaitre314 1 Picklescan 2026-06-23 8.1 High
picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded.
CVE-2026-54232 1 Vllm-project 1 Vllm 2026-06-23 8.8 High
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
CVE-2026-48505 1 Filamentphp 1 Filament 2026-06-23 7.4 High
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.