Export limit exceeded: 341484 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341484 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-14028 | 1 Softing | 2 Smartlink Hw-dp, Smartlink Hw-pn | 2026-03-30 | 6.5 Medium |
| Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. This issue affects: smartLink HW-DP: through 1.31 smartLink HW-PN: before 1.02. | ||||
| CVE-2026-4984 | 1 Botpress | 1 Botpress | 2026-03-30 | 8.2 High |
| The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account. | ||||
| CVE-2026-5010 | 1 Sanoma | 1 Clickedu | 2026-03-30 | N/A |
| A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user’s behalf. | ||||
| CVE-2026-5026 | 1 Langflow | 1 Langflow | 2026-03-30 | N/A |
| The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens. | ||||
| CVE-2026-5027 | 1 Langflow | 1 Langflow | 2026-03-30 | 8.8 High |
| The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../'). | ||||
| CVE-2024-11604 | 1 Opentext | 1 Idm Driver And Extensions | 2026-03-30 | N/A |
| Insertion of Sensitive Information into Log File vulnerability in the SCIM Driver module in OpenText IDM Driver and Extensions on Windows, Linux, 64 bit allows authenticated local users to obtain sensitive information via access to log files. This issue affects IDM SCIM Driver: 1.0.0.0000 through 1.0.1.0300 and 1.1.0.0000. | ||||
| CVE-2025-59028 | 1 Open-xchange | 1 Ox Dovecot Pro | 2026-03-30 | 5.3 Medium |
| When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known. | ||||
| CVE-2026-1496 | 1 Black Duck | 1 Coverity | 2026-03-30 | N/A |
| Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account. | ||||
| CVE-2026-27857 | 1 Open-xchange | 1 Ox Dovecot Pro | 2026-03-30 | 4.3 Medium |
| Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known. | ||||
| CVE-2026-32669 | 1 Buffalo | 1 Wi-fi Router Products | 2026-03-30 | N/A |
| Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products. | ||||
| CVE-2026-33280 | 1 Buffalo | 1 Wi-fi Router Products | 2026-03-30 | N/A |
| Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands. | ||||
| CVE-2026-33739 | 1 Fogproject | 1 Fogproject | 2026-03-30 | 5.7 Medium |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue. | ||||
| CVE-2026-33755 | 1 Intermesh | 1 Group-office | 2026-03-30 | 8.8 High |
| Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue. | ||||
| CVE-2026-4620 | 1 Nec | 2 Aterm Wx1500hp, Aterm Wx3600hp | 2026-03-30 | N/A |
| OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network. | ||||
| CVE-2026-3457 | 1 Thales | 1 Sentinel Ldk Runtime | 2026-03-30 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Thales Sentinel LDK Runtime on Windows allows Stored XSS.This issue affects Sentinel LDK Runtime: before 10.22. | ||||
| CVE-2026-4309 | 1 Nec | 20 Aterm W1200ex(-ms), Aterm Wf1200cr, Aterm Wg1200cr and 17 more | 2026-03-30 | N/A |
| Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network. | ||||
| CVE-2026-4621 | 1 Nec | 21 Aterm W1200ex(-ms), Aterm Wf1200cr, Aterm Wg1200cr and 18 more | 2026-03-30 | N/A |
| Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to enable telnet via network. | ||||
| CVE-2026-4909 | 1 Code-projects | 1 Exam Form Submission | 2026-03-30 | 2.4 Low |
| A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-4966 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-03-30 | 6.3 Medium |
| A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2025-69986 | 1 Lsc | 1 Indoor Camera | 2026-03-30 | 7.2 High |
| A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.32. The application fails to validate the length of the Protocol parameter inside the Transport element. By sending a specially crafted SOAP request containing an oversized protocol string, an attacker can overflow the stack buffer, overwriting the return instruction pointer (RIP). This vulnerability allows for Denial of Service (DoS) via device crash or Remote Code Execution (RCE) in the context of the ONVIF service. | ||||