Export limit exceeded: 343612 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343612 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5898 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5899 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5900 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5901 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2026-5902 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5903 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5904 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2026-5913 | 1 Google | 1 Chrome | 2026-04-09 | N/A |
| Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-40026 | 1 Sleuthkit | 1 The Sleuth Kit | 2026-04-09 | 4.4 Medium |
| The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop. | ||||
| CVE-2026-40028 | 1 Yamato-security | 1 Hayabusa | 2026-04-09 | 5.4 Medium |
| Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution. | ||||
| CVE-2026-40032 | 1 Tclahr | 1 Uac | 2026-04-09 | 7.8 High |
| UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process. | ||||
| CVE-2026-40036 | 1 Dfir-unfurl | 1 Dfir-unfurl | 2026-04-09 | 7.5 High |
| Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service. | ||||
| CVE-2026-5810 | 1 Sourcecodester | 1 Sales And Inventory System | 2026-04-09 | 3.5 Low |
| A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /delete.php of the component GET Parameter Handler. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-5815 | 1 D-link | 1 Dir-645 | 2026-04-09 | 8.8 High |
| A vulnerability was detected in D-Link DIR-645 1.01/1.02/1.03. Impacted is the function hedwigcgi_main of the file /cgi-bin/hedwig.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-5827 | 1 Code-projects | 1 Simple It Discussion Forum | 2026-04-09 | 7.3 High |
| A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Impacted is an unknown function of the file /question-function.php. The manipulation of the argument content leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-5832 | 1 Atototo | 1 Api-lab-mcp | 2026-04-09 | 7.3 High |
| A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-4124 | 2 Oliverfriedmann, Wordpress | 2 Ziggeo, Wordpress | 2026-04-09 | 5.4 Medium |
| The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')). | ||||
| CVE-2026-5837 | 1 Phpgurukul | 1 News Portal Project | 2026-04-09 | 7.3 High |
| A vulnerability was found in PHPGurukul News Portal Project 4.1. This affects an unknown part of the file /news-details.php. The manipulation of the argument Comment results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-5842 | 1 Decolua | 1 9router | 2026-04-09 | 7.3 High |
| A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component. | ||||
| CVE-2026-5850 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-09 | 9.8 Critical |
| A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||