Export limit exceeded: 329761 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (329761 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23954 | 2 Linuxcontainers, Lxc | 2 Incus, Incus | 2026-01-30 | 8.7 High |
| Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | ||||
| CVE-2026-23953 | 2 Linuxcontainers, Lxc | 2 Incus, Incus | 2026-01-30 | 8.7 High |
| Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | ||||
| CVE-2025-62986 | 1 Wordpress | 1 Wordpress | 2026-01-30 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in FanBridge FanBridge signup fanbridge-signup allows Stored XSS.This issue affects FanBridge signup: from n/a through <= 0.6. | ||||
| CVE-2025-62897 | 1 Wordpress | 1 Wordpress | 2026-01-30 | 4.7 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Code Injection.This issue affects WP Recipe Maker: from n/a through <= 10.1.1. | ||||
| CVE-2025-52741 | 1 Wordpress | 1 Wordpress | 2026-01-30 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barry Kooij Post Connector post-connector allows Reflected XSS.This issue affects Post Connector: from n/a through <= 1.0.11. | ||||
| CVE-2026-1386 | 1 Amazon | 1 Firecracker | 2026-01-30 | 6 Medium |
| A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | ||||
| CVE-2023-26813 | 1 Wang.market | 1 Wangmarket | 2026-01-30 | 9.8 Critical |
| SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. | ||||
| CVE-2025-46316 | 1 Apple | 6 Ios, Ipados, Iphone Os and 3 more | 2026-01-30 | 4.3 Medium |
| An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. | ||||
| CVE-2025-46306 | 1 Apple | 7 Ios, Ipad Os, Ipados and 4 more | 2026-01-30 | 5.5 Medium |
| The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents. | ||||
| CVE-2026-0901 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2026-01-30 | 5.4 Medium |
| Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-55251 | 1 Hcltech | 1 Aion | 2026-01-30 | 3.1 Low |
| HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | ||||
| CVE-2025-55249 | 1 Hcltech | 1 Aion | 2026-01-30 | 3.5 Low |
| HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. | ||||
| CVE-2025-52661 | 1 Hcltech | 1 Aion | 2026-01-30 | 2.4 Low |
| HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | ||||
| CVE-2025-52660 | 1 Hcltech | 1 Aion | 2026-01-30 | 2.7 Low |
| HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | ||||
| CVE-2025-59593 | 2 Extendthemes, Wordpress | 2 Colibri Page Builder, Wordpress | 2026-01-30 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334. | ||||
| CVE-2025-49908 | 1 Wordpress | 1 Wordpress | 2026-01-30 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Countdown Timer for WooCommerce wpc-countdown-timer allows Stored XSS.This issue affects WPC Countdown Timer for WooCommerce: from n/a through <= 3.1.4. | ||||
| CVE-2025-52659 | 1 Hcltech | 1 Aion | 2026-01-30 | 2.8 Low |
| HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. | ||||
| CVE-2025-55252 | 1 Hcltech | 1 Aion | 2026-01-30 | 3.1 Low |
| HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access | ||||
| CVE-2025-55250 | 1 Hcltech | 1 Aion | 2026-01-30 | 1.8 Low |
| HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | ||||
| CVE-2026-21925 | 2 Oracle, Redhat | 6 Graalvm, Graalvm For Jdk, Java Se and 3 more | 2026-01-30 | 4.8 Medium |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | ||||