Export limit exceeded: 328167 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (328167 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28790 | 1 Olivetin | 1 Olivetin | 2026-03-06 | 7.5 High |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0. | ||||
| CVE-2026-28789 | 1 Olivetin | 1 Olivetin | 2026-03-06 | 7.5 High |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3. | ||||
| CVE-2026-28514 | 2026-03-06 | N/A | ||
| Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. | ||||
| CVE-2026-28372 | 1 Gnu | 1 Inetutils | 2026-03-06 | 7.4 High |
| telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file. | ||||
| CVE-2026-28350 | 1 Fedora-python | 1 Lxml Html Clean | 2026-03-06 | 6.1 Medium |
| lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4. | ||||
| CVE-2026-28348 | 1 Fedora-python | 1 Lxml Html Clean | 2026-03-06 | 6.1 Medium |
| lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4. | ||||
| CVE-2026-28342 | 1 Olivetin | 1 Olivetin | 2026-03-06 | 7.5 High |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2. | ||||
| CVE-2026-26122 | 1 Microsoft | 1 Microsoft Aci Confidential Containers | 2026-03-06 | 6.5 Medium |
| Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-1128 | 2 Wordpress, Wp-ecommerce | 2 Wordpress, Wp Ecommerce | 2026-03-06 | 4.3 Medium |
| The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | ||||
| CVE-2025-69651 | 2026-03-06 | N/A | ||
| GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. | ||||
| CVE-2025-69646 | 2026-03-06 | N/A | ||
| Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis. | ||||
| CVE-2025-69645 | 2026-03-06 | N/A | ||
| Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file. | ||||
| CVE-2025-69644 | 2026-03-06 | N/A | ||
| An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file. | ||||
| CVE-2026-30791 | 1 Rustdesk-client | 1 Rustdesk Client | 2026-03-06 | N/A |
| Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig(). This issue affects RustDesk Client: through 1.4.5. | ||||
| CVE-2022-37008 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2026-03-06 | 7.5 High |
| The recovery module has a vulnerability of bypassing the verification of an update package before use. Successful exploitation of this vulnerability may affect system stability. | ||||
| CVE-2022-37005 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2026-03-06 | 7.5 High |
| The Settings application has an argument injection vulnerability. Successful exploitation of this vulnerability may affect data confidentiality. | ||||
| CVE-2022-37004 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2026-03-06 | 7.5 High |
| The Settings application has a vulnerability of bypassing the out-of-box experience (OOBE). Successful exploitation of this vulnerability may affect the availability. | ||||
| CVE-2022-36125 | 1 Apache | 1 Avro | 2026-03-06 | 7.5 High |
| It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. | ||||
| CVE-2022-35290 | 1 Sap | 1 Authenticator | 2026-03-06 | 7.5 High |
| Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted. | ||||
| CVE-2022-30635 | 2 Golang, Redhat | 15 Go, Acm, Ceph Storage and 12 more | 2026-03-06 | 7.5 High |
| Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||||