Export limit exceeded: 12267 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12267 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13951 | 1 Google | 1 Chrome | 2026-07-17 | 8.3 High |
| Insufficient policy enforcement in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14017 | 1 Google | 1 Chrome | 2026-07-17 | 9.6 Critical |
| Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14041 | 1 Google | 1 Chrome | 2026-07-17 | 8.8 High |
| Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-14059 | 1 Google | 1 Chrome | 2026-07-17 | 6.5 Medium |
| Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-14081 | 1 Google | 1 Chrome | 2026-07-17 | 6.5 Medium |
| Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2026-15945 | 1 Redhat | 4 Build Keycloak, Jboss Data Grid, Jbosseapxp and 1 more | 2026-07-17 | 4.3 Medium |
| A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration. | ||||
| CVE-2024-23572 | 2026-07-17 | 4.2 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack as cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. | ||||
| CVE-2024-23569 | 2026-07-17 | 4.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since the server is not configured with “X-XSS-Protection" header | ||||
| CVE-2024-42214 | 2026-07-17 | 5.3 Medium | ||
| HCL Aftermarket EPC is vulnerable to attack since HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are supported by the Web server which allows an attacker to narrow and intensify their efforts. | ||||
| CVE-2026-11889 | 2026-07-17 | 6.5 Medium | ||
| SALTO ProAccess Space software using the tenancy feature / logical partition is vulnerable to a privilege escalation attack that could allow an authorized attacker to access any space managed by the affected product. | ||||
| CVE-2026-43977 | 1 Wger-project | 1 Wger | 2026-07-17 | 7.5 High |
| wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's. This issue has been fixed in version 2.6. | ||||
| CVE-2026-44435 | 1 H2o | 1 Quicly | 2026-07-17 | 7.5 High |
| Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9. | ||||
| CVE-2026-11966 | 2026-07-17 | 5.3 Medium | ||
| The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts. | ||||
| CVE-2026-12393 | 2026-07-17 | 5.4 Medium | ||
| The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders. | ||||
| CVE-2026-8396 | 2026-07-17 | 7.5 High | ||
| Improper restriction of XML external entity reference vulnerability in Netcad Software Inc. NetGIS allows Serialized Data External Linking. This issue affects NetGIS: from 5.0.66 before 7.2.2. | ||||
| CVE-2026-62235 | 1 Getgrav | 1 Grav | 2026-07-17 | 6.3 Medium |
| Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create, read, update, delete, and export objects from any directory lacking an explicit permissions configuration, bypassing intended authorization controls. | ||||
| CVE-2026-38970 | 2026-07-17 | 7.5 High | ||
| pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth. | ||||
| CVE-2026-14614 | 1 Redhat | 4 Build Keycloak, Jboss Data Grid, Jbosseapxp and 1 more | 2026-07-17 | 5.4 Medium |
| A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended. | ||||
| CVE-2026-54409 | 2026-07-17 | 7.5 High | ||
| A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras. | ||||
| CVE-2026-15159 | 2026-07-17 | 4.3 Medium | ||
| The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data — including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms — as a downloadable XLSX file. | ||||