Export limit exceeded: 12295 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12295 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-59235 1 Roskus 1 Prospero Flow Crm 2026-07-15 N/A
Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it.
CVE-2026-59236 1 Roskus 1 Prospero Flow Crm 2026-07-15 N/A
Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.
CVE-2026-47305 1 Microsoft 2 Visual Studio 2022, Visual Studio 2026 2026-07-15 7.8 High
Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally.
CVE-2026-13876 1 Google 1 Chrome 2026-07-15 6.5 Medium
Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to bypass content security policy via malicious network traffic. (Chromium security severity: Medium)
CVE-2026-13903 1 Google 1 Chrome 2026-07-15 8.8 High
Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-13904 1 Google 1 Chrome 2026-07-15 6.5 Medium
Inappropriate implementation in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-13909 1 Google 1 Chrome 2026-07-15 9.6 Critical
Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-55123 1 Microsoft 8 365 Apps, Office 2019, Office 2021 and 5 more 2026-07-15 7.8 High
Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
CVE-2026-50510 1 Microsoft 1 Gihub Copilot Plugin For Jetbrains Ides 2026-07-15 7.8 High
Improper restriction of names for files and other resources in Github Copilot allows an unauthorized attacker to execute code locally.
CVE-2026-14054 1 Google 1 Chrome 2026-07-15 4.3 Medium
Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14058 1 Google 1 Chrome 2026-07-15 4.3 Medium
Insufficient policy enforcement in Parser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14120 1 Google 1 Chrome 2026-07-15 9.6 Critical
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-11580 2026-07-15 5.5 Medium
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.
CVE-2026-48359 2026-07-15 9.6 Critical
Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
CVE-2026-50402 1 Microsoft 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more 2026-07-15 7.8 High
Incorrect conversion between numeric types in Windows NTFS allows an authorized attacker to elevate privileges locally.
CVE-2019-25487 1 Sapido 1 Rb-1732 2026-07-15 9.8 Critical
SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.
CVE-2026-14957 2026-07-15 7.5 High
No description is available for this CVE.
CVE-2025-71382 2 Artifex, Artifexsoftware 2 Mupdf, Mupdf 2026-07-14 6.5 Medium
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
CVE-2026-6830 2 Get-hermes, Nesquena 2 Hermes Web Ui, Hermes-webui 2026-07-14 3.3 Low
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
CVE-2026-60104 1 Bitwarden 1 Server 2026-07-14 8.7 High
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.