Export limit exceeded: 335194 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335194 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37227 | 1 Tribulant | 1 Newsletters | 2026-02-27 | 4.3 Medium |
| Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7. | ||||
| CVE-2025-55131 | 1 Nodejs | 1 Nodejs | 2026-02-27 | 7.1 High |
| A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | ||||
| CVE-2025-69416 | 1 Plex | 1 Media Server | 2026-02-27 | 5 Medium |
| In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. | ||||
| CVE-2025-69417 | 1 Plex | 1 Media Server | 2026-02-27 | 5 Medium |
| In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. | ||||
| CVE-2026-23873 | 1 Hustoj | 1 Hustoj | 2026-02-27 | 9.0 Critical |
| hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. | ||||
| CVE-2026-25997 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 9.8 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25955 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 9.8 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25954 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 7.5 High |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25953 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 9.8 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25952 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 9.8 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25942 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 7.5 High |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-25941 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 4.3 Medium |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue. | ||||
| CVE-2026-25959 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 9.8 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue. | ||||
| CVE-2026-23996 | 1 Athroniaeth | 2 Fastapi-api-key, Fastapi Api Key | 2026-02-27 | 3.7 Low |
| FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. | ||||
| CVE-2026-23627 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-02-27 | 8.8 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue. | ||||
| CVE-2026-27943 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-02-27 | 6.5 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository. | ||||
| CVE-2026-26955 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 8.8 High |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch. | ||||
| CVE-2026-26965 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 8.8 High |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability. | ||||
| CVE-2026-23957 | 1 Lxsmnsyc | 1 Seroval | 2026-02-27 | 7.5 High |
| seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. | ||||
| CVE-2026-27015 | 1 Freerdp | 1 Freerdp | 2026-02-27 | 6.5 Medium |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue. | ||||