Export limit exceeded: 366571 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (16013 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-30221 2026-04-15 N/A
Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
CVE-2025-3145 1 Mindspore 1 Mindspore 2026-04-15 3.3 Low
A vulnerability, which was classified as problematic, has been found in MindSpore 2.5.0. Affected by this issue is the function mindspore.numpy.fft.rfft2. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-32072 2026-04-15 N/A
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43.
CVE-2025-3588 2026-04-15 5.3 Medium
A vulnerability, which was classified as problematic, has been found in joelittlejohn jsonschema2pojo 1.2.2. This issue affects the function apply of the file org/jsonschema2pojo/rules/SchemaRule.java of the component JSON File Handler. The manipulation leads to stack-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-40769 1 Siemens 1 Sinec Traffic Analyzer 2026-04-15 7.4 High
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application uses a Content Security Policy that allows unsafe script execution methods. This could allow an attacker to execute unauthorized scripts, potentially leading to cross-site scripting attacks.
CVE-2025-41672 1 Wago 1 Device Sphere 2026-04-15 10 Critical
A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.
CVE-2025-41713 1 Wago 1 Cc100 2026-04-15 6.5 Medium
During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration.
CVE-2025-3854 2026-04-15 8 High
A vulnerability, which was classified as critical, was found in H3C GR-3000AX up to V100R006. Affected is the function EnableIpv6/UpdateWanModeMulti/UpdateIpv6Params/EditWlanMacList/Edit_List_SSID of the file /goform/aspForm of the component HTTP POST Request Handler. The manipulation of the argument param leads to buffer overflow. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. Other functions might be affected as well.
CVE-2025-4423 1 Insyde 1 Insydeh2o 2026-04-15 8.2 High
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability.  https://support.lenovo.com/us/en/product_security/home
CVE-2025-4446 1 H3c 1 Gr-5400ax 2026-04-15 8 High
A vulnerability has been found in H3C GR-5400AX up to 100R008 and classified as critical. This vulnerability affects the function Edit_List_SSID of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack needs to be approached within the local network.
CVE-2025-46333 2026-04-15 N/A
z2d is a pure Zig 2D graphics library. Versions of z2d after `0.5.1` and up to and including `0.6.0`, when writing from one surface to another using `z2d.compositor.StrideCompositor.run`, and higher-level operations when the anti-aliasing mode is set to `.default` (such as `Context.fill`, `Context.stroke`, `painter.fill`, and `painter.stroke`), the source surface can be completely out-of-bounds on the x-axis, but not on the y-axis, by way of a negative offset. This results in an overflow of the value controlling the length of the stride. In non-safe optimization modes (consumers compiling with `ReleaseFast` or `ReleaseSmall`), this could potentially lead to invalid memory accesses or corruption. This issue is patched in version `0.6.1`. Users on an untagged version after `v0.5.1` and before `v0.6.1` are advised to update to address the vulnerability. Those still on Zig `0.13.0` are recommended to downgrade to `v0.5.1`.
CVE-2025-9338 1 Asus 1 Armoury Crate 2026-04-15 N/A
A improper restriction of operations within the bounds of a memory buffer exists in AsIO3.sys driver. This vulnerability can be triggered by manually executing a specially crafted process, potentially leading to local privilage escalation. For additional information, please refer to the 'Security Update for Armoury Crate App' section of the ASUS Security Advisory.
CVE-2025-47153 1 Nodejs 1 Nodejs 2026-04-15 6.5 Medium
Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.
CVE-2025-29366 2026-04-15 9.8 Critical
In mupen64plus v2.6.0 there is an array overflow vulnerability in the write_rdram_regs and write_rdram_regs functions, which enables executing arbitrary commands on the host machine.
CVE-2025-8760 2026-04-15 9.8 Critical
A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. This affects the function base64_decode of the component fcgi_server. The manipulation of the argument Authorization leads to buffer overflow. It is possible to initiate the attack remotely.
CVE-2025-8736 1 Gnu 1 Cflow 2026-04-15 5.3 Medium
A vulnerability, which was classified as critical, has been found in GNU cflow up to 1.8. Affected by this issue is the function yylex of the file c.c of the component Lexer. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVE-2025-7464 1 Osrg 1 Gobgp 2026-04-15 3.7 Low
A vulnerability classified as problematic has been found in osrg GoBGP up to 3.37.0. Affected is the function SplitRTR of the file pkg/packet/rtr/rtr.go. The manipulation leads to out-of-bounds read. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The name of the patch is e748f43496d74946d14fed85c776452e47b99d64. It is recommended to apply a patch to fix this issue.
CVE-2025-61689 2026-04-15 N/A
HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl `v1.10.19`.
CVE-2025-61481 1 Mikrotik 2 Routeros, Switchos 2026-04-15 10 Critical
An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials.
CVE-2025-5898 1 Gnu 1 Pspp 2026-04-15 5.3 Medium
A vulnerability classified as critical has been found in GNU PSPP 82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. Affected is the function parse_variables_option of the file utilities/pspp-convert.c. The manipulation leads to out-of-bounds write. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.