Search Results (12588 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-44249 1 Netty 1 Netty 2026-06-15 8.1 High
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVE-2026-50623 1 Apache 1 Cxf 2026-06-13 4.8 Medium
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.
CVE-2026-44492 1 Axios 1 Axios 2026-06-13 8.6 High
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
CVE-2026-44208 1 Frappe 1 Frappe 2026-06-13 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
CVE-2026-45178 2 Cyberark, Cyberark Software A Palo Alto Networks Company 2 Conjur Enterprise, Conjur Enterprise 2026-06-12 N/A
Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20
CVE-2026-45177 2 Cyberark, Cyberark Software A Palo Alto Networks Company 2 Conjur Cloud, Conjur Cloud Edge Finding Only 2026-06-12 N/A
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20
CVE-2026-48610 1 Ubiquiti 15 Efg, Express 7, Ucg-fiber and 12 more 2026-06-12 8.1 High
Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
CVE-2026-20259 1 Splunk 3 Splunk, Splunk Cloud Platform, Splunk Enterprise 2026-06-12 5.5 Medium
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
CVE-2026-47342 1 Apache 1 Ofbiz 2026-06-12 8.8 High
A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.
CVE-2026-42902 1 Microsoft 2 Power Toys, Powertoys 2026-06-12 7.8 High
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
CVE-2026-44976 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
CVE-2026-11459 1 Secureage 1 Catchpulse 2026-06-12 3.3 Low
A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. Impacted is an unknown function in the library saappctl.sys of the component IOCTL Handler. The manipulation leads to information disclosure. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used.
CVE-2026-47182 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
CVE-2026-12065 1 Groww 1 Stock Mutual Fund Gold App 2026-06-12 1.8 Low
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
CVE-2026-47298 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-06-12 8 High
Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-41856 2 Spring, Vmware 2 Spring For Graphql, Spring For Graphql 2026-06-12 7.5 High
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
CVE-2026-48611 1 Phpbb 1 Phpbb 2026-06-12 N/A
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
CVE-2025-43339 1 Apple 1 Macos 2026-06-12 5.5 Medium
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to access sensitive user data.
CVE-2025-46308 1 Apple 4 Ios And Ipados, Ipados, Iphone Os and 1 more 2026-06-12 5.3 Medium
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.
CVE-2025-46315 1 Apple 1 Macos 2026-06-12 7.5 High
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.