Export limit exceeded: 345106 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345106 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22734 | 1 Cloudfoundry | 2 Cf-deployment, Uaa | 2026-04-17 | 8.6 High |
| Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive). | ||||
| CVE-2026-23891 | 1 Decidim | 1 Decidim | 2026-04-17 | N/A |
| Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1. | ||||
| CVE-2026-24749 | 1 Silverstripe | 1 Silverstripe | 2026-04-17 | 5.3 Medium |
| The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3. | ||||
| CVE-2026-24906 | 1 Octobercms | 1 October | 2026-04-17 | N/A |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only | ||||
| CVE-2026-24907 | 1 Octobercms | 1 October | 2026-04-17 | N/A |
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure. | ||||
| CVE-2026-31843 | 1 Goodoneuz | 1 Pay-uz | 2026-04-17 | 9.8 Critical |
| The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability. | ||||
| CVE-2026-27820 | 1 Ruby | 1 Zlib | 2026-04-17 | 5.6 Medium |
| zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3. | ||||
| CVE-2026-28291 | 1 Steveukx | 1 Git-js | 2026-04-17 | 8.1 High |
| simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0. | ||||
| CVE-2026-30656 | 1 Axboe | 1 Fio | 2026-04-17 | 7.5 High |
| A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash. | ||||
| CVE-2026-30804 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30806 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30811 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30999 | 1 Ffmpeg | 1 Ffmpeg | 2026-04-17 | 7.5 High |
| A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||||
| CVE-2026-32316 | 1 Jqlang | 1 Jq | 2026-04-17 | 8.2 High |
| jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5. | ||||
| CVE-2026-32631 | 1 Gitforwindows | 1 Git | 2026-04-17 | 7.4 High |
| Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3. | ||||
| CVE-2026-33018 | 1 Saitoha | 1 Libsixel | 2026-04-17 | 7 High |
| libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1. | ||||
| CVE-2026-33019 | 1 Saitoha | 1 Libsixel | 2026-04-17 | 7.1 High |
| libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1. | ||||
| CVE-2026-33020 | 1 Saitoha | 1 Libsixel | 2026-04-17 | 7.1 High |
| libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution. This issue has been fixed in version 1.8.7-r1. | ||||
| CVE-2026-33023 | 1 Saitoha | 1 Libsixel | 2026-04-17 | 7.8 High |
| libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1. | ||||
| CVE-2026-33083 | 1 Dataease | 1 Dataease | 2026-04-17 | N/A |
| DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21. | ||||