Export limit exceeded: 331915 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (331915 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32246 | 1 Steveiliop56 | 1 Tinyauth | 2026-03-13 | 8.5 High |
| Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3. | ||||
| CVE-2026-1525 | 1 Undici | 1 Undici | 2026-03-13 | 6.5 Medium |
| Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking | ||||
| CVE-2026-3926 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Out of bounds read in V8 in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-31900 | 1 Psf | 1 Black | 2026-03-13 | N/A |
| Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability. | ||||
| CVE-2026-0940 | 1 Lenovo | 8 Thinkpad P14s Gen 5 Bios, Thinkpad P15v Gen 3 Bios, Thinkpad P16v Gen 1 Bios and 5 more | 2026-03-13 | 6.7 Medium |
| A potential improper initialization vulnerability was reported in the BIOS of some ThinkPads that could allow a local privileged user to modify data and execute arbitrary code. | ||||
| CVE-2026-3931 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Heap buffer overflow in Skia in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-3915 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3924 | 1 Google | 1 Chrome | 2026-03-13 | 7.5 High |
| use after free in WindowDialog in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3923 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in WebMIDI in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3922 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in MediaStream in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3921 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3920 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Out of bounds memory access in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3919 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3918 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3917 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Use after free in Agents in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3914 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-3913 | 1 Google | 1 Chrome | 2026-03-13 | 8.8 High |
| Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | ||||
| CVE-2026-22052 | 1 Netapp | 2 Ontap, Ontap 9 | 2026-03-13 | 4.3 Medium |
| ONTAP versions 9.12.1 and higher with S3 NAS buckets are susceptible to an information disclosure vulnerability. Successful exploit could allow an authenticated attacker to view a listing of the contents in a directory for which they lack permission. | ||||
| CVE-2026-21628 | 2 Astroidframe.work, Templaza | 2 Astroid Template Framework, Astroid Framework | 2026-03-13 | 9.8 Critical |
| A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution. | ||||
| CVE-2026-3236 | 1 Octopus | 1 Octopus Server | 2026-03-13 | 4.3 Medium |
| In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token. | ||||