Export limit exceeded: 363284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 85517 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (85517 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-24425 2 Symfony, Twigphp 2 Twig, Twig 2026-06-02 8.8 High
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
CVE-2026-42184 1 Tauri 1 Tauri 2026-06-02 8.8 High
Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms' WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3.
CVE-2026-37579 1 Smsgate 1 Sms-core 2026-06-02 7.3 High
An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component
CVE-2026-28955 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 8.8 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28905 1 Apple 6 Ios And Ipados, Ipados, Iphone Os and 3 more 2026-06-02 7.5 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28953 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 7.5 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28947 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 8.8 High
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2026-43660 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 7.5 High
A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2026-43658 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 7.5 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2026-28883 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 7.5 High
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28847 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 8.8 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28904 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 7.5 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28907 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-06-02 8.1 High
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2025-48615 1 Google 1 Android 2026-06-01 7.8 High
In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48612 1 Google 1 Android 2026-06-01 7.8 High
In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48581 1 Google 1 Android 2026-06-01 8.4 High
In VerifyNoOverlapInSessions of apexd.cpp, there is a possible way to block security updates due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-39292 1 Hansschouten 1 Phppagebuilder 2026-06-01 7.3 High
Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of uploaded file types and executable content.
CVE-2026-10179 1 Trendnet 1 Tew-432brp 2026-06-01 8.8 High
A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This issue affects the function formSetWlanEncrypt of the file /goform/formSetWlanEncrypt. This manipulation of the argument webpage causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2026-10281 1 Enderfga 1 Claw-orchestrator 2026-06-01 7.3 High
A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.
CVE-2026-44848 1 Portainer 1 Portainer 2026-06-01 8.8 High
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.