Export limit exceeded: 357649 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (357649 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-45178 | 1 Cyberark Software A Palo Alto Networks Company | 1 Conjur Enterprise | 2026-06-11 | N/A |
| Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20 | ||||
| CVE-2026-45177 | 1 Cyberark Software A Palo Alto Networks Company | 1 Conjur Cloud Edge Finding Only | 2026-06-11 | N/A |
| Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20 | ||||
| CVE-2026-45176 | 1 Cyberark Software A Palo Alto Networks Company | 1 Idira Endpoint Privilege Manager | 2026-06-11 | N/A |
| Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-12038 | 2026-06-11 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2026-47911 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Macos and 1 more | 2026-06-11 | 7.8 High |
| Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-47912 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Macos and 1 more | 2026-06-11 | 7.8 High |
| Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-10143 | 2 Dana Powers, Dpkp | 2 Kafka-python, Kafka-python | 2026-06-11 | 7.5 High |
| kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures. | ||||
| CVE-2026-10142 | 2 Dana Powers, Dpkp | 2 Kafka-python, Kafka-python | 2026-06-11 | 7.5 High |
| kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart. | ||||
| CVE-2026-47913 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Macos and 1 more | 2026-06-11 | 7.8 High |
| Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-47914 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Macos and 1 more | 2026-06-11 | 7.8 High |
| Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-33113 | 1 Microsoft | 5 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2016 and 2 more | 2026-06-11 | 5.4 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2026-34692 | 1 Adobe | 2 Adobe Experience Manager, Experience Manager | 2026-06-11 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-40376 | 1 Microsoft | 1 Visual Studio Code | 2026-06-11 | 7.5 High |
| Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-44805 | 1 Microsoft | 5 Windows Server 2019, Windows Server 2019 (server Core Installation), Windows Server 2022 and 2 more | 2026-06-11 | 5.5 Medium |
| Use after free in Windows Network Controller (NC) Host Agent allows an authorized attacker to deny service locally. | ||||
| CVE-2026-45648 | 1 Microsoft | 3 Windows Server 2022, Windows Server 2025, Windows Server 2025 (server Core Installation) | 2026-06-11 | 8.8 High |
| Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-42567 | 1 Svelte | 1 Svelte | 2026-06-11 | 7.5 High |
| Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7. | ||||
| CVE-2026-45653 | 1 Microsoft | 26 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 23 more | 2026-06-11 | 7 High |
| Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-46698 | 2026-06-11 | 5.3 Medium | ||
| Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9. | ||||
| CVE-2026-42570 | 1 Svelte | 1 Devalue | 2026-06-11 | 7.5 High |
| Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1. | ||||
| CVE-2026-3329 | 1 Sonatype | 1 Nexus Repository Manager | 2026-06-11 | N/A |
| A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints. | ||||