Export limit exceeded: 335225 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335225 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27967 | 1 Zed-industries | 1 Zed | 2026-02-27 | 7.1 High |
| Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue. | ||||
| CVE-2026-2302 | 1 Mongodb | 1 Ruby Driver | 2026-02-27 | 6.5 Medium |
| Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code. | ||||
| CVE-2026-27975 | 1 Ajenti | 1 Ajenti | 2026-02-27 | N/A |
| Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13. | ||||
| CVE-2026-3221 | 1 Devolutions | 1 Server | 2026-02-27 | 4.9 Medium |
| Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access. | ||||
| CVE-2026-28083 | 2 Uxthemes, Wordpress | 2 Flatsome, Wordpress | 2026-02-27 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.This issue affects Flatsome: from n/a through <= 3.20.1. | ||||
| CVE-2026-27847 | 1 Linksys | 2 Mr9600, Mx4200 | 2026-02-27 | 9.8 Critical |
| Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200. | ||||
| CVE-2026-27846 | 1 Linksys | 2 Mr9600, Mx4200 | 2026-02-27 | 6.2 Medium |
| Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200. | ||||
| CVE-2026-3206 | 1 Krakend | 2 Krakend-ce, Krakend-ee | 2026-02-27 | N/A |
| Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (CircuitBreaker modules), KrakenD, SLU KrakenD-EE (CircuitBreaker modules). This issue affects KrakenD-CE: before 2.13.1; KrakenD-EE: before 2.12.5. | ||||
| CVE-2026-20033 | 1 Cisco | 1 Cisco Nx-os System Software In Aci Mode | 2026-02-27 | 7.4 High |
| A vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation when processing specific Ethernet frames. An attacker could exploit this vulnerability by sending a crafted Ethernet frame to the management interface of an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. Note: Only the out-of-band (OOB) management interface is affected. | ||||
| CVE-2026-20037 | 1 Cisco | 1 Unified Computing System Manager | 2026-02-27 | 4.4 Medium |
| A vulnerability in the NX-OS CLI privilege levels of Cisco UCS Manager Software could allow an authenticated, local attacker with read-only privileges to modify files and perform unauthorized actions on an affected system. This vulnerability exists because unnecessary privileges are given to the user. An attacker could exploit this vulnerability by authenticating to a device as a read-only user and connecting to the NX-OS CLI. A successful exploit could allow the attacker to create or overwrite files in the file system or perform limited privileged actions on an affected device. | ||||
| CVE-2026-20122 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-02-27 | 5.4 Medium |
| A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges. | ||||
| CVE-2026-20133 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-02-27 | 6.5 Medium |
| A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system. | ||||
| CVE-2026-20048 | 1 Cisco | 1 Cisco Nx-os System Software In Aci Mode | 2026-02-27 | 7.7 High |
| A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper processing when parsing SNMP requests. An attacker could exploit this vulnerability by continuously sending SNMP queries to a specific MIB of an affected device. A successful exploit could allow the attacker to cause a kernel panic on the device, resulting in a reload and a DoS condition. Note: This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv1 or SNMPv2c, the attacker must have a valid read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. | ||||
| CVE-2026-20129 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-02-27 | 9.8 Critical |
| A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the netadmin role. The vulnerability is due to improper authentication for requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. | ||||
| CVE-2026-27728 | 1 Oneuptime | 1 Oneuptime | 2026-02-27 | 10 Critical |
| OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability. | ||||
| CVE-2026-27702 | 1 Budibase | 1 Budibase | 2026-02-27 | 9.9 Critical |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch. | ||||
| CVE-2025-14511 | 1 Gitlab | 1 Gitlab | 2026-02-27 | 7.5 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. | ||||
| CVE-2026-1725 | 1 Gitlab | 1 Gitlab | 2026-02-27 | 5.3 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. | ||||
| CVE-2026-1747 | 1 Gitlab | 1 Gitlab | 2026-02-27 | 4.3 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages. | ||||
| CVE-2026-1388 | 1 Gitlab | 1 Gitlab | 2026-02-27 | 7.5 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions. | ||||