Search Results (366864 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-30661 2 Juniper, Juniper Networks 10 Ex9200-15c, Junos, Lc4800 and 7 more 2026-02-26 7.3 High
An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation. A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system. This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C. This issue affects Junos OS: * from 23.2 before 23.2R2-S4,  * from 23.4 before 23.4R2-S5,  * from 24.2 before 24.2R2-S1,  * from 24.4 before 24.4R1-S3, 24.4R2. This issue does not affect versions prior to 23.1R2.
CVE-2025-43550 3 Adobe, Apple, Microsoft 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more 2026-02-26 7.8 High
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2025-52950 1 Juniper 1 Security Director 2026-02-26 9.6 Critical
A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user's authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices. This issue affects Security Director version 24.4.1.
CVE-2025-43577 3 Adobe, Apple, Microsoft 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more 2026-02-26 7.8 High
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2025-52954 2 Juniper, Juniper Networks 2 Junos Os Evolved, Junos Os Evolved 2026-02-26 7.8 High
A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Juniper Networks Junos OS Evolved allows a local, low-privileged user to gain root privileges, leading to a system compromise. Any low-privileged user with the capability to send packets over the internal VRF can execute arbitrary Junos commands and modify the configuration, and thus compromise the system.  This issue affects Junos OS Evolved:  * All versions before 22.2R3-S7-EVO,  * from 22.4 before 22.4R3-S7-EVO,  * from 23.2 before 23.2R2-S4-EVO,  * from 23.4 before 23.4R2-S5-EVO,  * from 24.2 before 24.2R2-S1-EVO * from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.
CVE-2025-43573 3 Adobe, Apple, Microsoft 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more 2026-02-26 7.8 High
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2025-52983 2 Juniper, Juniper Networks 2 Junos, Junos Os 2026-02-26 7.2 High
A UI Discrepancy for Security Feature vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device. On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root. This issue affects Junos OS: * all versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S3, * 24.2 versions before 24.2R1-S2, 24.2R2.
CVE-2025-46840 1 Adobe 1 Experience Manager 2026-02-26 8.7 High
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
CVE-2025-52988 2 Juniper, Juniper Networks 4 Junos, Junos Os Evolved, Junos Os and 1 more 2026-02-26 6.7 Medium
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device. This issue affects: Junos OS:  * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S8, * 22.2 versions before 22.2R3-S6, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S1, * 23.4 versions before 23.4R1-S2, 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S6-EVO, * 23.2-EVO versions before 23.2R2-S1-EVO, * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO.
CVE-2025-46889 1 Adobe 2 Adobe Experience Manager, Experience Manager 2026-02-26 5.4 Medium
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction.
CVE-2025-47096 1 Adobe 2 Adobe Experience Manager, Experience Manager 2026-02-26 3.5 Low
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, allowing a low impact to the integrity of the component. Exploitation of this issue requires user interaction in that a victim must interact with the malicious content. Low privileges are required.
CVE-2025-47713 1 Apache 1 Cloudstack 2026-02-26 8.8 High
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role. * API privilege comparison: the caller must possess all privileges of the user they are operating on. * Two new domain-level settings (restricted to the default Admin):  - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".    - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
CVE-2025-47849 1 Apache 2 Apache Cloudstack, Cloudstack 2026-02-26 8.8 High
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.  * API privilege comparison: the caller must possess all privileges of the user they are operating on.  * Two new domain-level settings (restricted to the default admin):   - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".   - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
CVE-2023-38036 1 Ivanti 1 Avalanche 2026-02-26 9.8 Critical
A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.
CVE-2025-26521 1 Apache 2 Apache Cloudstack, Cloudstack 2026-02-26 8.1 High
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account. CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details: Account Name kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID> First Name Kubernetes Last Name Service User Account Type 0 (Normal User) Role ID <ID_OF_SERVICE_ROLE> 2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted. 3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account. 4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:    api-url = <API_URL>     # For example: <MS_URL>/client/api   api-key = <SERVICE_USER_API_KEY>   secret-key = <SERVICE_USER_SECRET_KEY>   project-id = <PROJECT_ID> Delete the existing secret using kubectl and Kubernetes cluster config:    ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Create a new secret using kubectl and Kubernetes cluster config:     ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Remove the temporary file:     rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
CVE-2025-5958 1 Google 1 Chrome 2026-02-26 8.8 High
Use after free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-51768 1 Hpe 1 Autopass License Server 2026-02-26 8 High
An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
CVE-2025-5959 1 Google 1 Chrome 2026-02-26 8.8 High
Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2025-6265 1 Zyxel 48 Nwa110ax, Nwa110ax Firmware, Nwa1123ac Pro and 45 more 2026-02-26 7.2 High
A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier could allow an authenticated attacker with administrator privileges to access specific directories and delete files, such as the configuration file, on the affected device.
CVE-2025-32711 1 Microsoft 1 365 Copilot 2026-02-26 9.3 Critical
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.