Export limit exceeded: 336250 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336250 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20164 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2026-03-25 | 6.5 Medium |
| In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials. | ||||
| CVE-2026-20166 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2026-03-25 | 5.4 Medium |
| In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise. | ||||
| CVE-2026-20163 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2026-03-25 | 8 High |
| In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint. | ||||
| CVE-2025-66955 | 1 Asseco | 1 See Live | 2026-03-25 | 6.5 Medium |
| Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls. | ||||
| CVE-2026-21670 | 1 Veeam | 1 Backup And Replication | 2026-03-25 | 7.7 High |
| A vulnerability allowing a low-privileged user to extract saved SSH credentials. | ||||
| CVE-2026-21669 | 1 Veeam | 1 Backup And Replication | 2026-03-25 | 10 Critical |
| A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | ||||
| CVE-2026-21668 | 1 Veeam | 1 Backup And Replication | 2026-03-25 | 8.8 High |
| A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. | ||||
| CVE-2026-21672 | 1 Veeam | 1 Backup And Recovery | 2026-03-25 | 8.8 High |
| A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers. | ||||
| CVE-2026-21708 | 1 Veeam | 1 Backup And Recovery | 2026-03-25 | 10 Critical |
| A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | ||||
| CVE-2026-32302 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 8.1 High |
| OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11. | ||||
| CVE-2026-26133 | 1 Microsoft | 33 365 Copilot Android, 365 Copilot For Android, 365 Copilot For Ios and 30 more | 2026-03-25 | 7.1 High |
| AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-20993 | 1 Samsung | 1 Samsung Assistant | 2026-03-25 | N/A |
| Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information. | ||||
| CVE-2026-20994 | 1 Samsung | 1 Account | 2026-03-25 | N/A |
| URL redirection in Samsung Account prior to version 15.5.01.1 allows remote attackers to potentially get access token. | ||||
| CVE-2026-20995 | 1 Samsung | 1 Smart Switch | 2026-03-25 | N/A |
| Exposure of sensitive functionality to an unauthorized actor in Smart Switch prior to version 3.7.69.15 allows remote attackers to set a specific configuration. | ||||
| CVE-2026-20996 | 1 Samsung | 1 Smart Switch | 2026-03-25 | N/A |
| Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication. | ||||
| CVE-2026-20997 | 1 Samsung | 1 Smart Switch | 2026-03-25 | N/A |
| Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication. | ||||
| CVE-2026-20998 | 1 Samsung | 1 Smart Switch | 2026-03-25 | N/A |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication. | ||||
| CVE-2026-3836 | 1 Dnf5 | 1 Dnf5 | 2026-03-25 | 5.5 Medium |
| A flaw was found in dnf5. A local, unprivileged attacker can exploit a path traversal vulnerability in the D-Bus locale configuration. By providing a specially crafted string to the locale key during session opening, the attacker can force the dnf5daemon-server to terminate, leading to an application-level Denial of Service (DoS) with a core dump. | ||||
| CVE-2026-30661 | 1 Icms | 1 Icms | 2026-03-25 | 6.1 Medium |
| iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters. | ||||
| CVE-2026-30662 | 1 Concretecms | 1 Concrete Cms | 2026-03-25 | 6.5 Medium |
| ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error. | ||||