Export limit exceeded: 345203 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345203 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345203 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-21344 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-04-17 | 7.8 High |
| Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-1848 | 1 Mongodb | 1 Mongodb | 2026-04-17 | 7.5 High |
| Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header. | ||||
| CVE-2026-21347 | 3 Adobe, Apple, Microsoft | 3 Bridge, Macos, Windows | 2026-04-17 | 7.8 High |
| Bridge versions 15.1.3, 16.0.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-25610 | 1 Mongodb | 1 Mongodb | 2026-04-17 | 6.5 Medium |
| An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints. | ||||
| CVE-2026-25609 | 1 Mongodb | 1 Mongodb | 2026-04-17 | 5.4 Medium |
| Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only. | ||||
| CVE-2026-40183 | 1 Imagemagick | 1 Imagemagick | 2026-04-17 | 5.5 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19. | ||||
| CVE-2026-40310 | 1 Imagemagick | 1 Imagemagick | 2026-04-17 | 5.5 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. | ||||
| CVE-2026-24913 | 1 Icz | 1 Matcha Invoice | 2026-04-17 | N/A |
| SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product. | ||||
| CVE-2026-40311 | 1 Imagemagick | 1 Imagemagick | 2026-04-17 | 5.5 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. | ||||
| CVE-2026-27787 | 1 Icz | 2 Matcha Sns, Matchasns | 2026-04-17 | N/A |
| Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. | ||||
| CVE-2026-40312 | 1 Imagemagick | 1 Imagemagick | 2026-04-17 | 6.2 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19. | ||||
| CVE-2026-33810 | 2 Go Standard Library, Golang | 2 Crypto/x509, Go | 2026-04-17 | 7.5 High |
| When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | ||||
| CVE-2025-70795 | 1 Safetica | 1 Stprocessmonitor | 2026-04-17 | 5.5 Medium |
| STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. | ||||
| CVE-2026-31317 | 1 Markhuot | 1 Craftql | 2026-04-17 | N/A |
| Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file | ||||
| CVE-2026-37749 | 1 Codeastro | 1 Simple Attendance Management System | 2026-04-17 | 9.8 Critical |
| A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. | ||||
| CVE-2025-36568 | 1 Dell | 1 Powerprotect Data Domain | 2026-04-17 | 7.8 High |
| Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. | ||||
| CVE-2026-6494 | 1 Redhat | 1 Ansible Automation Platform | 2026-04-17 | 5.3 Medium |
| A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the `toolsetroute` parameter. This parameter is not properly sanitized before being written to logs, allowing the attacker to inject control characters such as newlines and ANSI escape sequences. This enables the attacker to obscure legitimate log entries and insert forged ones, which could facilitate social engineering attacks, potentially leading to an operator executing dangerous commands or visiting malicious URLs. | ||||
| CVE-2026-23775 | 1 Dell | 1 Powerprotect Data Domain Appliances | 2026-04-17 | 7.6 High |
| Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled. | ||||
| CVE-2025-15622 | 1 Sparxsystems | 1 Enterprise Architect | 2026-04-17 | N/A |
| Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow. | ||||
| CVE-2026-6507 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2026-04-17 | 7.5 High |
| A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS). | ||||