Export limit exceeded: 345222 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345222 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22045 | 1 Traefik | 1 Traefik | 2026-04-18 | 5.9 Medium |
| Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. | ||||
| CVE-2026-1009 | 1 Altium | 2 Altium 365, Altium Live | 2026-04-18 | 9 Critical |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | ||||
| CVE-2026-22864 | 1 Deno | 1 Deno | 2026-04-18 | 8.1 High |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. | ||||
| CVE-2026-1010 | 1 Altium | 2 Altium 365, On-prem Enterprise Server | 2026-04-18 | 8 High |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | ||||
| CVE-2026-1020 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-04-18 | 5.3 Medium |
| Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | ||||
| CVE-2026-1021 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-04-18 | 9.8 Critical |
| Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2026-1022 | 1 Gotac | 2 Statistical Database System, Statistics Database System | 2026-04-18 | 7.5 High |
| Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2026-1023 | 1 Gotac | 2 Statistical Database System, Statistics Database System | 2026-04-18 | 7.5 High |
| Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | ||||
| CVE-2026-0858 | 1 Plantuml | 1 Plantuml | 2026-04-18 | 6.1 Medium |
| Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | ||||
| CVE-2026-23769 | 1 Naver | 1 Lucy-xss-filter | 2026-04-18 | 6.5 Medium |
| lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | ||||
| CVE-2026-0975 | 2 Delta Electronics, Deltaww | 2 Diaview, Diaview | 2026-04-18 | 7.8 High |
| Delta Electronics DIAView has Command Injection vulnerability. | ||||
| CVE-2026-22876 | 1 Toa Corporation | 1 Trifora 3 Series | 2026-04-18 | N/A |
| Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. | ||||
| CVE-2026-0616 | 1 Thelibrarian | 2 The Librarian, Thelibrarian | 2026-04-18 | 7.5 High |
| TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | ||||
| CVE-2026-0615 | 1 Thelibrarian | 2 The Librarian, Thelibrarian | 2026-04-18 | 7.3 High |
| The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | ||||
| CVE-2026-0695 | 1 Connectwise | 2 Professional Service Automation, Psa | 2026-04-18 | 8.7 High |
| In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. | ||||
| CVE-2026-21623 | 1 Stackideas | 1 Easydiscuss | 2026-04-18 | 5.4 Medium |
| Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | ||||
| CVE-2026-21624 | 2 Joomla, Stackideas | 3 Joomla, Joomla!, Easydiscuss | 2026-04-18 | 5.4 Medium |
| Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | ||||
| CVE-2026-0949 | 1 Enterprisedb | 1 Postgres Enterprise Manager | 2026-04-18 | 6.5 Medium |
| PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | ||||
| CVE-2026-23528 | 2 Anaconda, Dask | 2 Dask, Distributed | 2026-04-18 | 6.1 Medium |
| Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | ||||
| CVE-2026-0629 | 1 Tp-link | 31 Vigi C230i Mini, Vigi C240, Vigi C250 and 28 more | 2026-04-18 | N/A |
| Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | ||||