Export limit exceeded: 357872 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357872 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (357872 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12065 | 1 Groww | 1 Stock Mutual Fund Gold App | 2026-06-12 | 1.8 Low |
| A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-33590 | 1 Portainer | 1 Portainer Community Edition | 2026-06-12 | N/A |
| Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host. | ||||
| CVE-2026-45467 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-06-12 | 4.6 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2026-45481 | 1 Microsoft | 4 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 and 1 more | 2026-06-12 | 7.3 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2026-10586 | 2 Wordpress, Wpdevteam | 2 Wordpress, Gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns | 2026-06-12 | 7.2 High |
| The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2026-47139 | 1 Patriksimek | 1 Vm2 | 2026-06-12 | 8.6 High |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4. | ||||
| CVE-2026-44205 | 1 Frappe | 1 Frappe | 2026-06-12 | N/A |
| Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0. | ||||
| CVE-2026-53816 | 1 Openclaw | 1 Openclaw | 2026-06-12 | 7.2 High |
| OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide. | ||||
| CVE-2026-47298 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-06-12 | 8 High |
| Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-53817 | 1 Openclaw | 1 Openclaw | 2026-06-12 | 8.8 High |
| OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation. | ||||
| CVE-2026-53806 | 1 Openclaw | 1 Openclaw | 2026-06-12 | 8.8 High |
| OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled. | ||||
| CVE-2026-45484 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-06-12 | 8.8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-49818 | 1 Apache | 2 Airflow Samba Provider, Apache-airflow-providers-samba | 2026-06-12 | 6.5 Medium |
| The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`. | ||||
| CVE-2026-44083 | 2 Qnap, Qnap Systems | 2 Qumagie, Qumagie | 2026-06-12 | 9.8 Critical |
| An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later | ||||
| CVE-2026-22769 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2026-06-12 | 10 Critical |
| Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible. | ||||
| CVE-2026-6973 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-06-12 | 7.2 High |
| An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | ||||
| CVE-2025-62858 | 2 Qnap, Qnap Systems | 4 Qts, Quts Hero, Qts and 1 more | 2026-06-12 | 6.5 Medium |
| A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | ||||
| CVE-2026-48560 | 1 Microsoft | 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more | 2026-06-12 | 5.4 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2026-42647 | 2 Beardev, Wordpress | 2 Joomsport, Wordpress | 2026-06-12 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7. | ||||
| CVE-2026-48562 | 1 Microsoft | 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more | 2026-06-12 | 4.6 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||