Export limit exceeded: 344621 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344621 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3778 | 4 Apple, Foxit, Foxitsoftware and 1 more | 6 Macos, Pdf Editor, Pdf Reader and 3 more | 2026-04-14 | 6.2 Medium |
| The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes. | ||||
| CVE-2026-32721 | 1 Openwrt | 2 Luci, Openwrt | 2026-04-14 | 8.6 High |
| LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b. | ||||
| CVE-2026-30924 | 2 Autobrr, Getqui | 2 Qui, Qui | 2026-04-14 | 8.8 High |
| qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication. | ||||
| CVE-2026-29059 | 2 Windmill, Windmill-labs | 2 Windmill, Windmill | 2026-04-14 | 7.5 High |
| Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3. | ||||
| CVE-2026-36947 | 2 Oretnom23, Sourcecodester | 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System | 2026-04-14 | 2.7 Low |
| Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php. | ||||
| CVE-2026-36946 | 2 Oretnom23, Sourcecodester | 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System | 2026-04-14 | 2.7 Low |
| Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php. | ||||
| CVE-2026-36923 | 2 Oretnom23, Sourcecodester | 2 Cab Management System, Cab Management System | 2026-04-14 | 2.7 Low |
| Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php. | ||||
| CVE-2026-36922 | 2 Oretnom23, Sourcecodester | 2 Cab Management System, Cab Management System | 2026-04-14 | 2.7 Low |
| Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php. | ||||
| CVE-2026-36874 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-14 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php. | ||||
| CVE-2026-36873 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-14 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php. | ||||
| CVE-2026-36872 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-14 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php. | ||||
| CVE-2026-36236 | 2 Janobe, Sourcecodester | 2 Engineers Online Portal, Engineers Online Portal | 2026-04-14 | 9.8 Critical |
| SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. | ||||
| CVE-2026-36234 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-14 | 9.8 Critical |
| itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter. | ||||
| CVE-2026-36235 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-14 | 9.8 Critical |
| A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation. | ||||
| CVE-2026-36233 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-14 | 9.8 Critical |
| A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation. | ||||
| CVE-2026-36232 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-14 | 9.8 Critical |
| A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation. | ||||
| CVE-2026-1092 | 1 Gitlab | 1 Gitlab | 2026-04-14 | 7.5 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads. | ||||
| CVE-2026-29087 | 1 Hono | 1 Node-server | 2026-04-14 | 7.5 High |
| @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10. | ||||
| CVE-2026-39942 | 2 Directus, Monospace | 2 Directus, Directus | 2026-04-14 | 8.5 High |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0. | ||||
| CVE-2026-4092 | 1 Google | 1 Clasp | 2026-04-14 | 8.8 High |
| Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences. | ||||