Export limit exceeded: 346993 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346993 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43376 | 1 Apple | 7 Ios, Ipados, Iphone Os and 4 more | 2026-04-27 | 7.5 High |
| A logic issue was addressed with improved state management. This issue is fixed in Safari 26, iOS 18.7.7 and iPadOS 18.7.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on. | ||||
| CVE-2025-43394 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-27 | 5.5 Medium |
| This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access protected user data. | ||||
| CVE-2025-43455 | 1 Apple | 5 Ios, Ipados, Iphone Os and 2 more | 2026-04-27 | 5.5 Medium |
| A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. A malicious app may be able to take a screenshot of sensitive information in embedded views. | ||||
| CVE-2025-43382 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-27 | 5.5 Medium |
| A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data. | ||||
| CVE-2025-43401 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-27 | 7.5 High |
| A denial-of-service issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. A remote attacker may be able to cause a denial-of-service. | ||||
| CVE-2025-43397 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-27 | 5.5 Medium |
| A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to cause a denial-of-service. | ||||
| CVE-2026-6074 | 1 Intrado | 1 911 Emergency Gateway | 2026-04-27 | N/A |
| A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files. | ||||
| CVE-2026-31472 | 1 Linux | 1 Linux Kernel | 2026-04-27 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer. | ||||
| CVE-2026-31473 | 1 Linux | 1 Linux Kernel | 2026-04-27 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices. | ||||
| CVE-2026-31474 | 1 Linux | 1 Linux Kernel | 2026-04-27 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done. | ||||
| CVE-2026-31475 | 1 Linux | 1 Linux Kernel | 2026-04-27 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devm_kzalloc() memory A previous change added NULL checks and cleanup for allocation failures in sma1307_setting_loaded(). However, the cleanup for mode_set entries is wrong. Those entries are allocated with devm_kzalloc(), so they are device-managed resources and must not be freed with kfree(). Manually freeing them in the error path can lead to a double free when devres later releases the same memory. Drop the manual kfree() loop and let devres handle the cleanup. | ||||
| CVE-2026-31476 | 1 Linux | 1 Linux Kernel | 2026-04-27 | 8.2 High |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put(). | ||||
| CVE-2026-41372 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 5.8 Medium |
| OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state. | ||||
| CVE-2026-41371 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 8.5 High |
| OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path. | ||||
| CVE-2026-41370 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 6.5 Medium |
| OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can bypass attachment-cache and root directory checks to access files outside intended directories. | ||||
| CVE-2026-41369 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 6.5 Medium |
| OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity. | ||||
| CVE-2026-41368 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 6.5 Medium |
| OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted. | ||||
| CVE-2026-41367 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 5 Medium |
| OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement. | ||||
| CVE-2026-41366 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 5.5 Medium |
| OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfiltrate credentials and access sensitive files. | ||||
| CVE-2026-41365 | 1 Openclaw | 1 Openclaw | 2026-04-27 | 5.4 Medium |
| OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions. | ||||