Export limit exceeded: 18983 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (50 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13327 2 Astral, Redhat 3 Uv, Ai Inference Server, Openshift Ai 2026-03-18 6.3 Medium
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
CVE-2025-24928 3 Netapp, Redhat, Xmlsoft 28 Active Iq Unified Manager, H300s, H300s Firmware and 25 more 2026-02-26 7.8 High
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
CVE-2023-48022 2 Anyscale, Redhat 2 Ray, Openshift Ai 2025-12-17 9.8 Critical
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
CVE-2024-56171 3 Netapp, Redhat, Xmlsoft 28 Active Iq Unified Manager, H300s, H300s Firmware and 25 more 2025-11-03 7.8 High
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
CVE-2025-26791 2 Cure53, Redhat 6 Dompurify, Ansible Automation Platform, Network Observ Optr and 3 more 2025-10-07 4.5 Medium
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
CVE-2024-56201 2 Palletsprojects, Redhat 13 Jinja, Ansible Automation Platform, Discovery and 10 more 2025-09-22 8.8 High
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.
CVE-2025-24970 3 Netapp, Netty, Redhat 12 Active Iq Unified Manager, Oncommand Insight, Netty and 9 more 2025-09-05 7.5 High
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
CVE-2023-6019 2 Ray Project, Redhat 2 Ray, Openshift Ai 2025-08-07 9.8 Critical
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
CVE-2025-22868 2 Go, Redhat 19 Jws, Acm, Advanced Cluster Security and 16 more 2025-05-01 7.5 High
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2024-49767 2 Palletsprojects, Redhat 3 Quart, Werkzeug, Openshift Ai 2025-01-03 7.5 High
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.