Export limit exceeded: 345877 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345877 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34188 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30809 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-30812 | 1 Pandora Fms | 1 Pandora Fms | 2026-04-17 | N/A |
| Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2025-69627 | 1 Nitro | 1 Pdf Pro | 2026-04-17 | 8.4 High |
| Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes. | ||||
| CVE-2026-0636 | 1 Bouncycastle | 1 Bc-java | 2026-04-17 | N/A |
| Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84. | ||||
| CVE-2026-33193 | 1 Docmost | 1 Docmost | 2026-04-17 | 4.6 Medium |
| Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch. | ||||
| CVE-2026-30993 | 1 Slah Cms | 1 Slah Cms | 2026-04-17 | 9.8 Critical |
| Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input. | ||||
| CVE-2026-30995 | 1 Slah Cms | 1 Slah Cms | 2026-04-17 | 8.6 High |
| Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint. | ||||
| CVE-2026-30994 | 1 Slah Cms | 1 Slah Cms | 2026-04-17 | 7.5 High |
| Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials. | ||||
| CVE-2026-31281 | 1 Totara | 1 Lms | 2026-04-17 | 8 High |
| Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. | ||||
| CVE-2026-31282 | 1 Totara | 1 Lms | 2026-04-17 | 9.8 Critical |
| Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. | ||||
| CVE-2026-31283 | 1 Totara | 1 Lms | 2026-04-17 | 9.8 Critical |
| In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. | ||||
| CVE-2026-29628 | 1 Kiyochii | 1 Tinyobjloader | 2026-04-17 | 6.2 Medium |
| A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file. | ||||
| CVE-2026-1462 | 1 Keras | 1 Keras | 2026-04-17 | 7.8 High |
| A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method. | ||||
| CVE-2026-30997 | 1 Ffmpeg | 1 Ffmpeg | 2026-04-17 | 7.5 High |
| An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||||
| CVE-2026-30998 | 1 Ffmpeg | 1 Ffmpeg | 2026-04-17 | 7.5 High |
| An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file. | ||||
| CVE-2025-63939 | 1 Anirudhkannanvp | 1 Grocery Store Management System | 2026-04-17 | 9.8 Critical |
| Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | ||||
| CVE-2026-39940 | 1 Churchcrm | 1 Churchcrm | 2026-04-17 | N/A |
| ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0. | ||||
| CVE-2025-51414 | 1 Phpgurukul | 1 Online Course Registration | 2026-04-17 | 8.8 High |
| In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page. | ||||
| CVE-2026-26460 | 1 Vtiger | 1 Crm | 2026-04-17 | 6.1 Medium |
| A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser | ||||