Export limit exceeded: 364647 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364647 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364647 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57870 1 Microrealestate 1 Microrealestate 2026-07-10 N/A
Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3.
CVE-2026-57871 1 Microrealestate 1 Microrealestate 2026-07-10 N/A
Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files. This issue affects MicroRealEstate: through 1.0.0-alpha3.
CVE-2026-5730 1 Idvlabs 1 Ontime 2026-07-10 7.5 High
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.
CVE-2026-5799 1 Idvlabs 1 Ontime 2026-07-10 7.5 High
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.
CVE-2026-7380 1 Armiya 1 Access Control System (gks) 2026-07-10 6.1 Medium
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows XSS Targeting HTML Attributes. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-8306 1 Armiya 1 Access Control System (gks) 2026-07-10 6.1 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Stored XSS. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-8309 1 Armiya 1 Access Control System (gks) 2026-07-10 5.4 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Reflected XSS. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-8377 1 Armiya 1 Access Control System (gks) 2026-07-10 8.2 High
Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Collect Data from Common Resource Locations. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-58384 2 Gnu, Redhat 2 Gimp, Enterprise Linux 2026-07-10 7.3 High
A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
CVE-2026-13199 1 Raspberrypi 1 Raspberry Pi 5 And Compute Module 5 2026-07-10 4 Medium
EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilities. Additionally, the low-quality RNG seed may affect the quality of random numbers or delay booting while sufficient entropy is accumulated from other sources.
CVE-2026-14476 2 Redhat, Sssd 4 Enterprise Linux, Openshift, Openshift Container Platform and 1 more 2026-07-10 8 High
A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
CVE-2026-33264 1 Apache 1 Airflow 2026-07-10 9.8 Critical
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.
CVE-2026-11340 1 Havelsan 1 Liman Mys 2026-07-10 8.3 High
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107.
CVE-2026-11348 1 Havelsan 1 Liman Mys 2026-07-10 8.1 High
Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data. This issue affects Liman MYS: before release.Master.1107.
CVE-2026-13696 1 Havelsan 1 Liman Mys 2026-07-10 8.8 High
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection. This issue affects Liman MYS: before release.Master.1107.
CVE-2011-10043 1 Bingos 1 Module::load 2026-07-10 9.8 Critical
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
CVE-2026-6101 2 Mohammed Kaludi, Wordpress 2 Amp For Wp – Accelerated Mobile Pages, Wordpress 2026-07-10 7.5 High
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, potentially leading to remote code execution on hosts that execute PHP files in the uploads directory.
CVE-2026-12352 1 Digi International 2 Digi One Sp / Sp Ia / Ia, Portserver Ts 1/2/4 2026-07-10 5.9 Medium
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
CVE-2026-12948 1 Digi International 4 Digi One Ia, Digi One Sp, Digi One Sp Ia and 1 more 2026-07-10 N/A
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
CVE-2026-14935 2 Gstreamer, Redhat 2 Gstreamer, Enterprise Linux 2026-07-10 3.7 Low
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.