Export limit exceeded: 343019 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 343019 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343019 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5622 | 1 Hcengineering | 1 Huly | 2026-04-07 | 3.7 Low |
| A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5647 | 1 Code-projects | 1 Online Shoe Store | 2026-04-07 | 2.4 Low |
| A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/admin_feature.php of the component Add Product Page. The manipulation of the argument product_name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2026-31053 | 1 Rizin | 1 Rizin | 2026-04-07 | 6.2 Medium |
| A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline. | ||||
| CVE-2026-31153 | 1 Bynder | 1 Bynder | 2026-04-07 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2026-33404 | 1 Pi-hole | 1 Web | 2026-04-07 | 3.4 Low |
| Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5. | ||||
| CVE-2026-34897 | 2 Davidlingren, Wordpress | 2 Media Library Assistant, Wordpress | 2026-04-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34. | ||||
| CVE-2026-5547 | 1 Tenda | 2 Ac10, Ac10 Firmware | 2026-04-07 | 6.3 Medium |
| A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected is the function formAddMacfilterRule of the file /bin/httpd. Such manipulation leads to os command injection. It is possible to launch the attack remotely. Multiple endpoints might be affected. | ||||
| CVE-2026-5562 | 1 Provectus | 1 Kafka-ui | 2026-04-07 | 7.3 High |
| A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5567 | 1 Tenda | 2 M3, M3 Firmware | 2026-04-07 | 8.8 High |
| A flaw has been found in Tenda M3 1.0.0.10. This vulnerability affects the function setAdvPolicyData of the file /goform/setAdvPolicyData of the component Destination Handler. Executing a manipulation of the argument policyType can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. | ||||
| CVE-2026-5630 | 1 Assafelovic | 1 Gpt-researcher | 2026-04-07 | 4.3 Medium |
| A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-5641 | 1 Phpgurukul | 1 Online Shopping Portal Project | 2026-04-07 | 6.3 Medium |
| A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | ||||
| CVE-2026-5646 | 1 Code-projects | 1 Eblog Site | 2026-04-07 | 7.3 High |
| A security vulnerability has been detected in code-projects Easy Blog Site 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-5659 | 1 Pytries | 1 Datrie | 2026-04-07 | 6.3 Medium |
| A vulnerability was found in pytries datrie up to 0.8.3. The affected element is the function Trie.load/Trie.read/Trie.__setstate__ of the file src/datrie.pyx of the component trie File Handler. The manipulation results in deserialization. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-5661 | 1 Free5gc | 1 Free5gc | 2026-04-07 | 5.3 Medium |
| A vulnerability was identified in Free5GC 4.2.0. This affects an unknown function of the component NGSetupRequest Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit is publicly available and might be used. | ||||
| CVE-2018-25256 | 1 Ks-soft | 1 Ip Tools | 2026-04-07 | 5.5 Medium |
| IP TOOLS 2.50 contains a local buffer overflow vulnerability in the SNMP Scanner component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data into the 'From Addr' and 'To Addr' fields and trigger the crash by clicking the Start button, causing denial of service and SEH overwrite. | ||||
| CVE-2019-25659 | 1 Xlinesoft | 1 Asprunner Professional | 2026-04-07 | 6.2 Medium |
| ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application crash. | ||||
| CVE-2019-25665 | 1 Riverpast | 1 River Past Ringtone Converter | 2026-04-07 | 6.2 Medium |
| River Past Ringtone Converter 2.7.6.1601 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to activation fields. Attackers can paste 300 bytes of data into the Email textbox and Activation code textarea via the Help menu's Activate dialog to trigger a denial of service condition. | ||||
| CVE-2019-25669 | 1 Qdpm | 1 Qdpm | 2026-04-07 | 8.2 High |
| qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors and extract database information. | ||||
| CVE-2019-25686 | 1 Coreftp | 1 Core Ftp | 2026-04-07 | 7.5 High |
| Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process. | ||||
| CVE-2026-31150 | 1 Kaleris | 1 Yms | 2026-04-07 | 4.3 Medium |
| Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | ||||