Export limit exceeded: 367033 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (367033 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12715 | 2026-07-17 | N/A | ||
| Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests. This vulnerability was patched on 15 April 2026, and no customer action is needed. | ||||
| CVE-2026-14871 | 1 Osticket | 1 Osticket | 2026-07-17 | N/A |
| osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. | ||||
| CVE-2026-63095 | 2026-07-17 | 6.5 Medium | ||
| Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow. | ||||
| CVE-2026-51083 | 2026-07-17 | 6.5 Medium | ||
| Incorrect access control in Proxmox Virtual Environment (PVE) 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API. | ||||
| CVE-2026-44433 | 1 H2o | 1 Quicly | 2026-07-17 | 5.3 Medium |
| Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, an adversarial peer could send a STREAM frame carrying just one byte at the largest offset being permitted to obtain additional flow control credit, which under certain circumstances could lead to a Denial of Service. Assuming the application prepares a receive buffer for storing all data that arrive out-of-order, up to the largest offset being received, this behavior could lead to the application allocating large amount of memory with the peer sending only a handful of packets, resulting in memory exhaustion. In addition to the receive buffer allocation strategy, the severity of this vulnerability depends on how the application controls the stream concurrency. In case of the H2O HTTP server, under its default setting, this bug increases the maximum amount of memory allocated per connection by about 4 times. This issue has been fixed by commit 8b178e6. | ||||
| CVE-2026-54340 | 1 H2o | 1 H2o | 2026-07-17 | 7.5 High |
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd. | ||||
| CVE-2026-12705 | 2026-07-17 | 6.4 Medium | ||
| Missing support for integrity check vulnerability in ABB KNX Update Tool (ABB), ABB KNX Update Tool (BJE). This issue affects KNX Update Tool (ABB): through 2.0.175; KNX Update Tool (BJE): through 2.0.175. | ||||
| CVE-2026-9592 | 2026-07-17 | N/A | ||
| SEPPmail Secure Email Gateway & SEPPmail Cloud before version 15.0.4.2 allows an attacker to replay & hijack a user session in the GINA web portal, as the session token is disclosed inside the URL and a HTTP header. | ||||
| CVE-2024-23572 | 2026-07-17 | 4.2 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack as cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. | ||||
| CVE-2024-23570 | 2026-07-17 | 4.3 Medium | ||
| HCL Aftermarket EPC is affected by clickjacking vulnerability Cross-Frame Scripting is an attack technique where an attacker loads a vulnerable application in an iFrame on his malicious site. The attacker can then launch a Clickjacking attack, which may lead to Phishing, Cross-Site Request Forgery, sensitive information leakage and more. | ||||
| CVE-2024-23578 | 2026-07-17 | 4.2 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack as the application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain (*-Wildcard). | ||||
| CVE-2024-23569 | 2026-07-17 | 4.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since the server is not configured with “X-XSS-Protection" header | ||||
| CVE-2024-23577 | 2026-07-17 | 4.3 Medium | ||
| HCL Aftermarket EPC is vulnerable since the application does not have a validation for HOST header and accepts arbitrary hosts when requested in http protocol. When an application doesn’t adequately validate or sanitize this header, it can lead to several security risks, including Host header poisoning, server misconfigurations. | ||||
| CVE-2024-23574 | 2026-07-17 | 5.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since It was found that a malicious actor can use brute-force techniques to either guess or confirm valid users in the system. Use renumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system | ||||
| CVE-2024-42214 | 2026-07-17 | 5.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are supported by the Web server which allows an attacker to narrow and intensify their efforts. | ||||
| CVE-2024-23575 | 2026-07-17 | 5.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since the application returns detailed error messages that leak information about the processing on the server. An attacker may use the contents of error messages to help launch another ,more focused attack. | ||||
| CVE-2024-23571 | 2026-07-17 | 4.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since the application does not have an appropriate caching policy specifying the extent to which the page and its form fields should be cached. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time. | ||||
| CVE-2024-23573 | 2026-07-17 | 3.7 Low | ||
| HCL Aftermarket EPC is vulnerable to attack since the Application is vulnerable to Lucky 13. that makes the SS LLUCKY13 possible affects the TLS1.1and 1.2 and DTLS1.0 or 1.2 implementations . It also affects previous versions such as SSL3.0 and TLS1.0. This can also be considered a type of man-in-the-middle attack. | ||||
| CVE-2024-23568 | 2026-07-17 | 5.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attacks since the server software version used by the application is revealed by the web server. Displaying version information of software could allow an attacker to determine which vulnerabilities are present in the software, particularly if an outdated software version is in use with published vulnerabilities. | ||||
| CVE-2026-13774 | 1 Google | 1 Chrome | 2026-07-17 | 8.1 High |
| Use after free in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical) | ||||