Export limit exceeded: 43383 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (43383 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41144 | 1 Nasa | 1 Fprime | 2026-04-22 | 0 Low |
| F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check byteOffset + dataSize > fileSize uses U32 addition that wraps around on overflow. An attacker-crafted DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 overflows to 0, bypassing the check entirely. The subsequent file write proceeds at the original ~4GB offset. Additionally, Svc/FileUplink/File.cpp:20-31 performs no sanitization on the destination file path. Combined, these allow writing arbitrary data to any file at any offset. The impact is arbitrary file write leading to remote code execution on embedded targets. Note that this is a logic bug. ASAN does not detect it because all memory accesses are within valid buffers — the corruption occurs in file I/O. Version 4.2.0 contains a patch. No known workarounds are available. | ||||
| CVE-2026-4296 | 1 Github | 1 Enterprise Server | 2026-04-22 | N/A |
| An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2026-33611 | 1 Powerdns | 1 Authoritative | 2026-04-22 | 6.5 Medium |
| An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | ||||
| CVE-2026-40568 | 1 Freescout Helpdesk | 1 Freescout | 2026-04-22 | 8.5 High |
| FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue. | ||||
| CVE-2026-40567 | 1 Freescout Helpdesk | 1 Freescout | 2026-04-22 | 5.8 Medium |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue. | ||||
| CVE-2026-26067 | 1 Octobercms | 1 October | 2026-04-22 | 4.9 Medium |
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10. | ||||
| CVE-2026-26274 | 1 Octobercms | 1 October | 2026-04-22 | 6.6 Medium |
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10. | ||||
| CVE-2026-40871 | 1 Mailcow | 1 Mailcow Dockerized | 2026-04-22 | 7.2 High |
| mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability. | ||||
| CVE-2026-34177 | 1 Canonical | 1 Lxd | 2026-04-22 | 9.1 Critical |
| Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. | ||||
| CVE-2025-43532 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-22 | 2.8 Low |
| A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing malicious data may lead to unexpected app termination. | ||||
| CVE-2026-6194 | 1 Totolink | 1 A3002mu | 2026-04-22 | 8.8 High |
| A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_410188 of the file /boafrm/formWlanSetup of the component HTTP Request Handler. This manipulation of the argument wan-url causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-6198 | 1 Tenda | 1 F456 | 2026-04-22 | 8.8 High |
| A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-6192 | 1 Uclouvain | 1 Openjpeg | 2026-04-22 | 3.3 Low |
| A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue. | ||||
| CVE-2026-6196 | 1 Tenda | 1 F456 | 2026-04-22 | 8.8 High |
| A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeCommand. Performing a manipulation of the argument cmdinput results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | ||||
| CVE-2026-6199 | 1 Tenda | 1 F456 | 2026-04-22 | 8.8 High |
| A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-6197 | 1 Tenda | 1 F456 | 2026-04-22 | 8.8 High |
| A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-6186 | 1 Utt | 1 Hiper 1200gw | 2026-04-22 | 8.8 High |
| A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. This vulnerability affects the function strcpy of the file /goform/formNatStaticMap. The manipulation of the argument NatBind leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-6200 | 1 Tenda | 1 F456 | 2026-04-22 | 8.8 High |
| A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-6630 | 1 Tenda | 2 F451, F451 Firmware | 2026-04-22 | 8.8 High |
| A vulnerability was found in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-6594 | 1 Brikcss | 1 Merge | 2026-04-22 | 7.3 High |
| A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. | ||||