Export limit exceeded: 346028 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346028 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2795 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 8.8 High |
| Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2796 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 9.8 Critical |
| JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2797 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 8.8 High |
| Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2798 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 8.8 High |
| Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2799 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 8.8 High |
| Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-34397 | 1 Himmelblau-idm | 1 Himmelblau | 2026-04-15 | 6.3 Medium |
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1. | ||||
| CVE-2019-25572 | 1 Nordvpn | 1 Nordvpn | 2026-04-15 | 6.2 Medium |
| NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the email input field. Attackers can paste a buffer of 100,000 characters into the email field during login to trigger an application crash. | ||||
| CVE-2026-35632 | 1 Openclaw | 1 Openclaw | 2026-04-15 | 7.1 High |
| OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation. | ||||
| CVE-2019-25575 | 2 Simplepresscms, Sourceforge | 2 Simplepress Cms, Simplepress Cms | 2026-04-15 | 8.2 High |
| SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2019-25576 | 1 Keplerwallpapers | 1 Kepler Wallpaper Script | 2026-04-15 | 8.2 High |
| Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details. | ||||
| CVE-2026-2800 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 9.8 Critical |
| Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2801 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 7.5 High |
| Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2802 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 4.2 Medium |
| Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2803 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 7.5 High |
| Information disclosure, mitigation bypass in the Settings UI component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2804 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 5.4 Medium |
| Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2805 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 9.8 Critical |
| Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2806 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 9.1 Critical |
| Uninitialized memory in the Graphics: Text component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2807 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 9.8 Critical |
| Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-2410 | 2 Themeisle, Wordpress | 2 Disable Admin Notices – Hide Dashboard Notifications, Wordpress | 2026-04-15 | 4.3 Medium |
| The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2301 | 2 Metaphorcreations, Wordpress | 2 Post Duplicator, Wordpress | 2026-04-15 | 4.3 Medium |
| The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint. | ||||