Export limit exceeded: 11625 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11625 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10024 | 1 Exert | 1 Education Management System | 2026-06-05 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. | ||||
| CVE-2025-10161 | 1 Turkguven | 1 Perfektive | 2026-06-05 | 7.3 High |
| Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass. This issue affects Perfektive: before Version: 12574 Build: 2701. | ||||
| CVE-2026-3276 | 1 Python | 1 Cpython | 2026-06-05 | 5.3 Medium |
| unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. | ||||
| CVE-2026-49192 | 1 Acer | 3 Connect M6e 5g, Connect M6e 5g Firmware, Connect M6e 5g Portable Wifi Router | 2026-06-05 | 5.4 Medium |
| The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping. | ||||
| CVE-2026-47320 | 1 Samsung Open Source | 1 Rlottie | 2026-06-05 | 6.1 Medium |
| Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads. This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3. | ||||
| CVE-2026-47306 | 1 Samsung Open Source | 1 Rlottie | 2026-06-05 | 6.1 Medium |
| Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945. | ||||
| CVE-2026-6657 | 1 Jupyter | 1 Jupyter Server | 2026-06-05 | 6.1 Medium |
| A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses. | ||||
| CVE-2025-10855 | 1 Solvera Software | 1 Teknoera | 2026-06-05 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. | ||||
| CVE-2025-10912 | 1 Saastech Cleaning And Internet Services Inc. | 1 Temizlikyolda | 2026-06-05 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables. This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14772 | 1 Abb | 1 T-mac Plus | 2026-06-04 | 8.8 High |
| Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | ||||
| CVE-2026-41569 | 1 Goauthentik | 1 Authentik | 2026-06-04 | 6.1 Medium |
| authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3. | ||||
| CVE-2026-4224 | 1 Python | 2 Cpython, Python | 2026-06-04 | 7.5 High |
| When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. | ||||
| CVE-2026-50266 | 1 Openstack | 1 Neutron | 2026-06-04 | 2.2 Low |
| In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018). | ||||
| CVE-2026-40181 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 6.1 Medium |
| React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4. | ||||
| CVE-2025-52608 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.1 Low |
| HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | ||||
| CVE-2025-52609 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.7 Low |
| HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | ||||
| CVE-2026-45810 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-04 | 6.8 Medium |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3 | ||||
| CVE-2026-10597 | 1 Itpison | 1 Omicard Edm | 2026-06-04 | 5.3 Medium |
| OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address. | ||||
| CVE-2026-46447 | 1 Openstack | 1 Ironic | 2026-06-04 | 5.8 Medium |
| OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | ||||
| CVE-2026-44917 | 1 Openstack | 1 Ironic | 2026-06-04 | 4.9 Medium |
| OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. | ||||