Export limit exceeded: 344982 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344982 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344982 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41034 | 1 Onlyoffice | 1 Document Server | 2026-04-16 | 5 Medium |
| ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | ||||
| CVE-2026-41035 | 1 Samba | 1 Rsync | 2026-04-16 | 7.4 High |
| In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable. | ||||
| CVE-2024-2374 | 1 Wso2 | 10 Api Manager, Identity Server, Identity Server As Key Manager and 7 more | 2026-04-16 | 7.5 High |
| The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. | ||||
| CVE-2024-4867 | 1 Wso2 | 1 Wso2 Api Manager | 2026-04-16 | 5.4 Medium |
| The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag. | ||||
| CVE-2024-8010 | 1 Wso2 | 2 Api Manager, Wso2 Api Manager | 2026-04-16 | 3.5 Low |
| The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. | ||||
| CVE-2024-10242 | 1 Wso2 | 1 Wso2 Api Manager | 2026-04-16 | 6.1 Medium |
| The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. | ||||
| CVE-2025-6024 | 1 Wso2 | 2 Wso2 Api Manager, Wso2 Identity Server | 2026-04-16 | 6.1 Medium |
| The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies. | ||||
| CVE-2025-12624 | 1 Wso2 | 2 Identity Server, Wso2 Identity Server | 2026-04-16 | 6 Medium |
| Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire. | ||||
| CVE-2026-28550 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 4 Medium |
| Race condition vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28552 | 1 Huawei | 2 Emui, Harmonyos | 2026-04-16 | 6.5 Medium |
| Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28538 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 5.9 Medium |
| Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28540 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 4 Medium |
| Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2026-28541 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 4 Medium |
| Permission control vulnerability in the cellular_data module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28543 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 4.4 Medium |
| Race condition vulnerability in the maintenance and diagnostics module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28546 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 5.9 Medium |
| Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28547 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 6.8 Medium |
| Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28551 | 1 Huawei | 1 Harmonyos | 2026-04-16 | 4.7 Medium |
| Race condition vulnerability in the device security management module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-28548 | 1 Huawei | 2 Emui, Harmonyos | 2026-04-16 | 7.1 High |
| Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2026-3236 | 1 Octopus | 1 Octopus Server | 2026-04-16 | 4.3 Medium |
| In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token. | ||||
| CVE-2026-27750 | 2 Avira, Gen Digital | 3 Avira Internet Security Suite, Internet Security, Avira Internet Security | 2026-04-16 | 7.8 High |
| Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target. | ||||