Export limit exceeded: 344763 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344763 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34627 | 2026-04-14 | 7.8 High | ||
| InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-33118 | 1 Microsoft | 1 Edge Chromium | 2026-04-14 | 4.3 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2026-27906 | 1 Microsoft | 6 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 3 more | 2026-04-14 | 4.4 Medium |
| Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-27246 | 2026-04-14 | 9.3 Critical | ||
| Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-26154 | 1 Microsoft | 7 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and 4 more | 2026-04-14 | 7.5 High |
| Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2026-26143 | 1 Microsoft | 1 Powershell | 2026-04-14 | 7.8 High |
| Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2026-24906 | 2026-04-14 | N/A | ||
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only | ||||
| CVE-2026-23666 | 1 Microsoft | 1 .net | 2026-04-14 | 7.5 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2025-70023 | 2026-04-14 | N/A | ||
| An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. | ||||
| CVE-2025-69993 | 2026-04-14 | 6.1 Medium | ||
| Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. | ||||
| CVE-2025-65136 | 2026-04-14 | 6.1 Medium | ||
| In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | ||||
| CVE-2025-65135 | 2026-04-14 | 9.8 Critical | ||
| In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | ||||
| CVE-2025-65132 | 2026-04-14 | 6.1 Medium | ||
| alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | ||||
| CVE-2025-63939 | 2026-04-14 | 9.8 Critical | ||
| Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | ||||
| CVE-2025-49547 | 1 Adobe | 2 Adobe Experience Manager, Experience Manager | 2026-04-14 | 5.4 Medium |
| Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed. | ||||
| CVE-2025-49534 | 1 Adobe | 2 Adobe Experience Manager, Experience Manager | 2026-04-14 | 5.4 Medium |
| Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed. | ||||
| CVE-2026-4832 | 2026-04-14 | N/A | ||
| CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port. | ||||
| CVE-2026-34934 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-14 | 9.8 Critical |
| PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90. | ||||
| CVE-2026-34935 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-14 | 9.8 Critical |
| PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69. | ||||
| CVE-2026-34936 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-14 | 7.7 High |
| PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90. | ||||