Export limit exceeded: 362717 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 362717 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (362717 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13941 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Inappropriate implementation in SiteSettings in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13943 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Uninitialized Use in CSS in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13981 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13987 | 1 Google | 1 Chrome | 2026-07-01 | 4.3 Medium |
| Incorrect security UI in Mobile in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13989 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Inappropriate implementation in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14003 | 1 Google | 1 Chrome | 2026-07-01 | 4.3 Medium |
| Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | ||||
| CVE-2026-14006 | 1 Google | 1 Chrome | 2026-07-01 | 8.8 High |
| Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14011 | 1 Google | 1 Chrome | 2026-07-01 | 8.1 High |
| Out of bounds read in SurfaceCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-10538 | 1 Bmc | 2 Control-m/enterprise Manager, Control-m/server | 2026-07-01 | 8 High |
| Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content. | ||||
| CVE-2026-13603 | 1 Pretix | 1 Pretix-oppwa | 2026-07-01 | N/A |
| The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath. Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL. After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix. | ||||
| CVE-2026-34115 | 2026-07-01 | 9.8 Critical | ||
| Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. | ||||
| CVE-2026-13795 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-57737 | 2026-07-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16. | ||||
| CVE-2026-13919 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-46680 | 2026-07-01 | N/A | ||
| containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1. | ||||
| CVE-2026-13921 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Insufficient validation of untrusted input in DeviceBoundSessionCredentials in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-13922 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-34112 | 2026-07-01 | 9.8 Critical | ||
| Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. | ||||
| CVE-2026-54399 | 2026-07-01 | 7.5 High | ||
| Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length | ||||
| CVE-2026-13924 | 1 Google | 1 Chrome | 2026-07-01 | 6.5 Medium |
| Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | ||||