Export limit exceeded: 342090 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 342090 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342090 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33105 | 1 Microsoft | 1 Azure Kubernetes Service | 2026-04-03 | 10 Critical |
| Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-32173 | 1 Microsoft | 2 Azure Sre Agent Gateway, Azure Sre Agent Gateway Signalr Hub | 2026-04-03 | 8.6 High |
| Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-32211 | 1 Microsoft | 1 Azure Web Apps | 2026-04-03 | 9.1 Critical |
| Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-35507 | 1 Milesmcc | 1 Shynet | 2026-04-03 | 6.4 Medium |
| Shynet before 0.14.0 allows Host header injection in the password reset flow. | ||||
| CVE-2026-35508 | 1 Milesmcc | 1 Shynet | 2026-04-03 | 5.4 Medium |
| Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters, | ||||
| CVE-2026-28815 | 1 Apple | 1 Macos | 2026-04-03 | N/A |
| A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1. | ||||
| CVE-2026-35535 | 1 Sudo Project | 1 Sudo | 2026-04-03 | 7.4 High |
| In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. | ||||
| CVE-2026-35536 | 1 Tornadoweb | 1 Tornado | 2026-04-03 | 7.2 High |
| In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters. | ||||
| CVE-2026-5452 | 1 Ucc | 1 Campusconnect App | 2026-04-03 | 3.3 Low |
| A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key . The attack can only be executed locally. The exploit has been published and may be used. | ||||
| CVE-2026-35537 | 1 Roundcube | 1 Webmail | 2026-04-03 | 3.7 Low |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. | ||||
| CVE-2026-35538 | 1 Roundcube | 1 Webmail | 2026-04-03 | 3.1 Low |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. | ||||
| CVE-2026-35539 | 1 Roundcube | 1 Webmail | 2026-04-03 | 6.1 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment. | ||||
| CVE-2026-35540 | 1 Roundcube | 1 Webmail | 2026-04-03 | 5.4 Medium |
| An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. | ||||
| CVE-2026-35541 | 1 Roundcube | 1 Webmail | 2026-04-03 | 4.2 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. | ||||
| CVE-2026-35542 | 1 Roundcube | 1 Webmail | 2026-04-03 | 5.3 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. | ||||
| CVE-2026-35543 | 1 Roundcube | 1 Webmail | 2026-04-03 | 5.3 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass. | ||||
| CVE-2026-35544 | 1 Roundcube | 1 Webmail | 2026-04-03 | 5.3 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important. | ||||
| CVE-2026-35545 | 1 Roundcube | 1 Webmail | 2026-04-03 | 5.3 Medium |
| An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke. | ||||
| CVE-2026-5453 | 1 Rico | 1 Só Vantagem Pra Investir App | 2026-04-03 | 3.3 Low |
| A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key . The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5463 | 1 Dan Mcinerney | 1 Pymetasploit3 | 2026-04-03 | 8.6 High |
| Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions. | ||||