Export limit exceeded: 326032 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 326032 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (326032 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24051 | 2 Linuxfoundation, Opentelemetry | 2 Opentelemetry-go, Opentelemetry | 2026-02-27 | 7 High |
| OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. | ||||
| CVE-2025-64712 | 2 Unstructured, Unstructured-io | 2 Unstructured, Unstructured | 2026-02-27 | 9.8 Critical |
| The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18. | ||||
| CVE-2026-24884 | 1 Node-modules | 1 Compressing | 2026-02-27 | 8.4 High |
| Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1. | ||||
| CVE-2026-25505 | 2 Bambuddy, Maziggy | 2 Bambuddy, Bambuddy | 2026-02-27 | 9.8 Critical |
| Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | ||||
| CVE-2026-25128 | 1 Naturalintelligence | 1 Fast-xml-parser | 2026-02-27 | 7.5 High |
| fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. | ||||
| CVE-2026-27628 | 2 Py-pdf, Pypdf Project | 2 Pypdf, Pypdf | 2026-02-27 | 7.5 High |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually. | ||||
| CVE-2026-27583 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27582 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27581 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27580 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27573 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27501 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27500 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27201 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27200 | 2026-02-27 | N/A | ||
| Further research determined the situation described is not a vulnerability. | ||||
| CVE-2026-27141 | 1 Go Standard Library | 1 Net/http | 2026-02-27 | 7.5 High |
| Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | ||||
| CVE-2026-25518 | 1 Cert-manager | 1 Cert-manager | 2026-02-27 | 5.9 Medium |
| cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. | ||||
| CVE-2026-25541 | 2 Tokio, Tokio-rs | 2 Bytes, Bytes | 2026-02-27 | 7.5 High |
| Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1. | ||||
| CVE-2026-1978 | 1 Kalyan02 | 1 Nanocms | 2026-02-27 | 5.3 Medium |
| A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | ||||
| CVE-2026-22206 | 1 Spip | 1 Spip | 2026-02-27 | 8.8 High |
| SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server. | ||||