Export limit exceeded: 359538 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11712 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40181 | 2 Remix-run, Shopify | 2 React-router, React-router | 2026-06-04 | 6.1 Medium |
| React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4. | ||||
| CVE-2025-52608 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.1 Low |
| HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | ||||
| CVE-2025-52609 | 1 Hcltech | 1 Icontrol | 2026-06-04 | 3.7 Low |
| HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | ||||
| CVE-2026-45810 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-04 | 6.8 Medium |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3 | ||||
| CVE-2026-10597 | 1 Itpison | 1 Omicard Edm | 2026-06-04 | 5.3 Medium |
| OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address. | ||||
| CVE-2026-44917 | 1 Openstack | 1 Ironic | 2026-06-04 | 4.9 Medium |
| OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. | ||||
| CVE-2026-7201 | 1 Progress | 1 Sitefinity | 2026-06-04 | 8.8 High |
| CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users. | ||||
| CVE-2026-43924 | 1 Fossbilling | 1 Fossbilling | 2026-06-04 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs. | ||||
| CVE-2025-13003 | 1 Aksis Technology | 1 Axonboard | 2026-06-04 | 7.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers. This issue affects AxOnboard: from 3.2.0 before 3.3.0. | ||||
| CVE-2025-13004 | 2 Farktor, Farktor Software E-commerce Services Inc. | 2 E-commerce Package, E-commerce Package | 2026-06-04 | 6.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables. This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2025-13124 | 1 Netiket | 1 Applylogic | 2026-06-04 | 7.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025. | ||||
| CVE-2025-13125 | 1 Im Park | 1 Dijidemi | 2026-06-04 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers. This issue affects DijiDemi: through 28.11.2025. | ||||
| CVE-2025-13474 | 1 Menulux | 1 Mobile App | 2026-06-04 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers. This issue affects Mobile App: before 9.5.8. | ||||
| CVE-2025-14101 | 1 Gg Soft | 1 Paperwork | 2026-06-04 | 7.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers. This issue affects PaperWork: from 5.2.0.9427 before 6.0. | ||||
| CVE-2025-15653 | 1 Draeger | 2 Zeus Ie, Zeus Rs C500 | 2026-06-03 | 6.8 Medium |
| Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect. | ||||
| CVE-2026-37978 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-03 | 4.9 Medium |
| A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. | ||||
| CVE-2026-4630 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-03 | 6.8 Medium |
| A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. | ||||
| CVE-2026-7504 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-03 | 8.1 High |
| A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect. | ||||
| CVE-2026-34257 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | 6.1 Medium |
| Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability. | ||||
| CVE-2026-45278 | 1 Nextcloud | 1 User Oidc | 2026-06-03 | 3.3 Low |
| Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2. | ||||