Export limit exceeded: 347351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (347351 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40472 | 1 Hackage-server | 1 Hackage-server | 2026-04-28 | 9.9 Critical |
| In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. | ||||
| CVE-2026-5039 | 1 Tp-link | 1 Tl-wl841n | 2026-04-28 | N/A |
| TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. | ||||
| CVE-2026-41173 | 1 Opentelemetry | 1 Opentelemetry-dotnet-contrib | 2026-04-28 | 5.9 Medium |
| The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8. | ||||
| CVE-2026-41213 | 1 Node-oauth | 1 Node-oauth2-server | 2026-04-28 | 5.9 Medium |
| @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds. | ||||
| CVE-2026-6375 | 1 Spicejet | 1 Online Booking System | 2026-04-28 | N/A |
| A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. | ||||
| CVE-2026-6376 | 1 Spicejet | 1 Online Booking System | 2026-04-28 | N/A |
| A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function. | ||||
| CVE-2026-28525 | 1 Sbabic | 1 Swupdate | 2026-04-28 | 6.8 Medium |
| SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket. | ||||
| CVE-2026-26210 | 1 Kvcache-ai | 1 Ktransformers | 2026-04-28 | 9.8 Critical |
| KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process. | ||||
| CVE-2026-1789 | 1 Canon | 15 I-sensys C1533if Ii, I-sensys Mf842cdw, I-sensys X C1538 If Ii and 12 more | 2026-04-28 | 4.9 Medium |
| A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers and office/small office multifunction printers. | ||||
| CVE-2026-25775 | 1 Senselive | 1 X3050 | 2026-04-28 | 9.8 Critical |
| A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware. | ||||
| CVE-2026-32952 | 1 Azure | 1 Go-ntlmssp | 2026-04-28 | 5.3 Medium |
| go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue. | ||||
| CVE-2026-41316 | 1 Ruby | 1 Erb | 2026-04-28 | 8.1 High |
| ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue. | ||||
| CVE-2026-41319 | 1 Jstedfast | 1 Mailkit | 2026-04-28 | 6.5 Medium |
| MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue. | ||||
| CVE-2026-2028 | 2 Ckp267, Wordpress | 2 Maxiblocks Builder, Wordpress | 2026-04-28 | 5.3 Medium |
| The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators. | ||||
| CVE-2026-6947 | 1 D-link | 1 Dwm-222w | 2026-04-28 | 7.5 High |
| DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device. | ||||
| CVE-2026-5364 | 2 Addonsorg, Wordpress | 2 Drag And Drop File Upload For Contact Form 7, Wordpress | 2026-04-28 | 8.1 High |
| The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability. | ||||
| CVE-2026-5347 | 2 Mhmrajib, Wordpress | 2 Wp Books Gallery – Build Stunning Book Showcases & Libraries In Minutes, Wordpress | 2026-04-28 | 5.3 Medium |
| The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings. | ||||
| CVE-2025-11762 | 2 Hubspotdev, Wordpress | 2 Hubspot All-in-one Marketing – Forms, Popups, Live Chat, Wordpress | 2026-04-28 | 4.3 Medium |
| The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks. | ||||
| CVE-2026-3565 | 2 Taqnix, Wordpress | 2 Taqnix, Wordpress | 2026-04-28 | 4.3 Medium |
| The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. This makes it possible for unauthenticated attackers to trick a logged-in non-administrator user into deleting their own account via a forged request granted they can trick the user into performing an action such as clicking a link or visiting a malicious page. | ||||
| CVE-2026-4078 | 2 Iteras, Wordpress | 2 Iteras, Wordpress | 2026-04-28 | 6.4 Medium |
| The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '"'.$key.'": "'.$value.'"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||