Export limit exceeded: 366574 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366574 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-48260 | 2026-07-15 | 5.4 Medium | ||
| Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-15702 | 1 Tamagui | 1 Tamagui | 2026-07-15 | 6.3 Medium |
| A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to version 2.3.1 is able to mitigate this issue. The name of the patch is e46af9879b7627934ea4d6d6e46e65cea53abb3d. The affected component should be upgraded. | ||||
| CVE-2026-54469 | 1 Dell | 1 Unisphere For Powermax | 2026-07-15 | 8.8 High |
| Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | ||||
| CVE-2026-59791 | 1 Jetbrains | 1 Youtrack | 2026-07-15 | 3.5 Low |
| In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible | ||||
| CVE-2026-59792 | 1 Jetbrains | 1 Intellij Idea | 2026-07-15 | 9.6 Critical |
| In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible | ||||
| CVE-2026-59794 | 1 Jetbrains | 1 Teamcity | 2026-07-15 | 7.3 High |
| In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data | ||||
| CVE-2026-59796 | 1 Jetbrains | 1 Teamcity | 2026-07-15 | 8.1 High |
| In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks | ||||
| CVE-2025-5278 | 1 Redhat | 6 Cost Management, Discovery, Enterprise Linux and 3 more | 2026-07-15 | 4.4 Medium |
| A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. | ||||
| CVE-2026-4878 | 2 Libcap Project, Redhat | 18 Libcap, Ai Inference Server, Cost Management and 15 more | 2026-07-15 | 6.7 Medium |
| A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation. | ||||
| CVE-2026-15809 | 1 Redhat | 2 Confidential Compute Attestation, Openshift | 2026-07-15 | 7.8 High |
| A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable. | ||||
| CVE-2026-15779 | 1 Redhat | 1 Enterprise Linux | 2026-07-15 | 6.1 Medium |
| A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation. | ||||
| CVE-2026-58556 | 2026-07-15 | 5.1 Medium | ||
| Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-58558 | 2026-07-15 | 7.8 High | ||
| Permission control vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2026-3014 | 2026-07-15 | 9.1 Critical | ||
| Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API. The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service. | ||||
| CVE-2026-58559 | 2026-07-15 | 6.5 Medium | ||
| DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2025-40646 | 2 Energycrm, Viday | 2 Energy Crm, Viday | 2026-07-15 | 5.4 Medium |
| Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. | ||||
| CVE-2026-47422 | 1 Frappe | 1 Frappe | 2026-07-15 | N/A |
| Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2. | ||||
| CVE-2026-10769 | 1 Drupal | 1 Commerce Core | 2026-07-15 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6. | ||||
| CVE-2026-15089 | 1 Drupal | 1 Commerce Guest Registration | 2026-07-15 | 9.1 Critical |
| vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*. | ||||
| CVE-2026-15709 | 1 Redhat | 1 Enterprise Linux | 2026-07-15 | 7.5 High |
| A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS). | ||||