Export limit exceeded: 361516 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361516 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53249 | 1 Linux | 1 Linux Kernel | 2026-06-26 | 7.0 High |
| In the Linux kernel, the following vulnerability has been resolved: ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options This patch restricts setting Loose Source and Record Route (LSRR) and Strict Source and Record Route (SSRR) IP options to users with CAP_NET_RAW capability. This prevents unprivileged applications from forcing packets to route through attacker-controlled nodes to leak TCP ISN and possibly other protocol information. While LSRR and SSRR are commonly filtered in many network environments, they may still be supported and forwarded along some network paths. RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing IPv4 Options) recommend to drop these options in 4.3 and 4.4. | ||||
| CVE-2026-53252 | 1 Linux | 1 Linux Kernel | 2026-06-26 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device. | ||||
| CVE-2026-53255 | 1 Linux | 1 Linux Kernel | 2026-06-26 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1]. | ||||
| CVE-2026-53268 | 1 Linux | 1 Linux Kernel | 2026-06-26 | 7.0 High |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack_irc: fix possible out-of-bounds read When parsing fails after we've matched the command string we should bail out instead of trying to match a different command. This helper should be deprecated, given prevalence of TLS I doubt it has any relevance in 2026. | ||||
| CVE-2026-13218 | 2 Kubevirt, Redhat | 3 Kubevirt, Container Native Virtualization, Openshift Virtualization | 2026-06-26 | 4.2 Medium |
| A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership. | ||||
| CVE-2026-23513 | 1 Fossbilling | 1 Fossbilling | 2026-06-26 | N/A |
| FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0. | ||||
| CVE-2026-40941 | 1 Cacti | 1 Cacti | 2026-06-26 | 8.8 High |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31. | ||||
| CVE-2026-57667 | 2026-06-26 | 8.5 High | ||
| Sales Representative SQL Injection in Groundhogg <= 4.5 versions. | ||||
| CVE-2026-57660 | 2026-06-26 | 5.3 Medium | ||
| Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions. | ||||
| CVE-2026-57635 | 2026-06-26 | 6.5 Medium | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions. | ||||
| CVE-2026-57431 | 2026-06-26 | 6.5 Medium | ||
| Author Cross Site Scripting (XSS) in Featured Image <= 2.1 versions. | ||||
| CVE-2026-57321 | 2026-06-26 | 7.1 High | ||
| Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions. | ||||
| CVE-2026-56068 | 2026-06-26 | 9.3 Critical | ||
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions. | ||||
| CVE-2026-56048 | 2026-06-26 | 6.5 Medium | ||
| Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions. | ||||
| CVE-2026-56034 | 2026-06-26 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions. | ||||
| CVE-2026-56028 | 2026-06-26 | 9.8 Critical | ||
| Unauthenticated Privilege Escalation in Easy Elements for Elementor – Addons & Website Templates <= 1.4.9 versions. | ||||
| CVE-2026-54835 | 2026-06-26 | 7.5 High | ||
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. | ||||
| CVE-2025-68075 | 2026-06-26 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions. | ||||
| CVE-2025-64637 | 2026-06-26 | 5.3 Medium | ||
| Unauthenticated Content Injection in Auros Core <= 5.3.1 versions. | ||||
| CVE-2026-53169 | 1 Linux | 1 Linux Kernel | 2026-06-26 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPU_OP_RESIZE commands from userspace NPU_OP_RESIZE is a U85-only command that the driver does not yet implement. The existing WARN_ON(1) placeholder fires unconditionally whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, causing unbounded kernel log spam. If panic_on_warn is set the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive. Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl rejects the command before it reaches hardware. | ||||