Export limit exceeded: 364816 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364816 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53877 | 1 Djangoproject | 1 Django | 2026-07-10 | 4.8 Medium |
| An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue. | ||||
| CVE-2026-53878 | 1 Djangoproject | 1 Django | 2026-07-10 | 6.1 Medium |
| An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue. | ||||
| CVE-2026-57157 | 1 Freerdp | 1 Freerdp | 2026-07-10 | 6.5 Medium |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0, FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled scan attacker-supplied DeviceName and VirtualChannelName fields for a NUL terminator in channels/rdpecam/server/camera_device_enumerator_main.c and then dereference once past the scan bound, allowing a malicious RDP client to trigger a 1- to 2-byte out-of-bounds heap read. This issue is fixed in version 3.28.0. | ||||
| CVE-2026-57221 | 1 Rabbitmq | 1 Rabbitmq-server | 2026-07-10 | N/A |
| RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ does not perform authorization checks on passive queue.declare and exchange.declare AMQP 0-9-1 operations, allowing any authenticated user who can connect to a virtual host to enumerate queue and exchange names and read queue message and consumer counts. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. | ||||
| CVE-2026-44383 | 2026-07-10 | 7.5 High | ||
| Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend. | ||||
| CVE-2026-42952 | 2026-07-10 | 7.5 High | ||
| Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack. | ||||
| CVE-2026-20744 | 2026-07-10 | 9.8 Critical | ||
| The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. | ||||
| CVE-2026-55460 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 7.1 High |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-11913 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*. | ||||
| CVE-2026-11914 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*. | ||||
| CVE-2026-15089 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*. | ||||
| CVE-2026-15087 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*. | ||||
| CVE-2026-15086 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*. | ||||
| CVE-2026-15085 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3. | ||||
| CVE-2026-15084 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17. | ||||
| CVE-2026-15082 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1. | ||||
| CVE-2026-15081 | 2026-07-10 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0. | ||||
| CVE-2026-15080 | 2026-07-10 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4. | ||||
| CVE-2026-58591 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0. | ||||
| CVE-2026-58590 | 2026-07-10 | N/A | ||
| Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0. | ||||