Search

Search Results (366763 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-15121 1 Google 1 Chrome 2026-07-15 8.8 High
Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-15123 1 Google 1 Chrome 2026-07-15 8.8 High
Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-15125 1 Google 1 Chrome 2026-07-15 8.8 High
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-15126 1 Google 1 Chrome 2026-07-15 8.8 High
Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-15127 1 Google 1 Chrome 2026-07-15 6.1 Medium
Inappropriate implementation in WebGL in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
CVE-2025-45422 1 Proximus 1 B-box 2026-07-15 8.1 High
Incorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictions and make arbitrary changes to port forwarding rules.
CVE-2026-51923 1 Docuform 1 Client 2026-07-15 8.1 High
An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with other users’ accounts.
CVE-2025-63579 1 Kyocera 1 Command Center Rx 2026-07-15 7.5 High
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be obtained. This affects Kyocera Command Center RX TASKalfa 2552ci, TASKalfa 3252ci, TASKalfa 2553ci, TASKalfa 3253ci, TASKalfa 3554ci, TASKalfa 4052ci, TASKalfa 5052ci, TASKalfa 6052ci, TASKalfa 7052ci, TASKalfa 8052ci, TASKalfa 7353ci, TASKalfa 8353ci, TASKalfa 2554ci, TASKalfa 3254ci, TASKalfa 505.
CVE-2026-51600 1 Tenda 1 Cp3 V3 2026-07-15 7.5 High
Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding message body, the RTSP parser enters a persistent body-awaiting state, causing the affected TCP connection to become permanently non-functional. The device does not actively close the connection, resulting in a TCP resource leak. This issue can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition.
CVE-2026-50657 1 Microsoft 1 Defender For Endpoint 2026-07-15 4.7 Medium
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.
CVE-2026-50668 1 Microsoft 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more 2026-07-15 6.8 Medium
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to elevate privileges with a physical attack.
CVE-2026-48580 1 Microsoft 9 365 Apps, Excel 2016, Office 2019 and 6 more 2026-07-15 5.5 Medium
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-55016 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-07-15 4.6 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-50299 1 Microsoft 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more 2026-07-15 6.8 Medium
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
CVE-2026-55046 1 Microsoft 9 365 Apps, Excel 2016, Office 2019 and 6 more 2026-07-15 5.5 Medium
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-10628 2 Wordpress, Wpswings 2 Wordpress, Points And Rewards For Woocommerce 2026-07-15 4.3 Medium
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to convert and drain any user's reward points into wallet balance, exfiltrate all users' emails and point balances to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings. The nonce used for authentication of these requests (wps-wpr-verify-nonce) is injected into every public-facing page via wp_localize_script(), and the wps_wpr_generate_custom_wallet handler is additionally registered on the wp_ajax_nopriv_ hook, meaning unauthenticated visitors can also obtain a valid nonce and exploit that specific action.
CVE-2026-43637 2026-07-15 9.1 Critical
Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.
CVE-2026-61438 1 Praison 1 Praisonai 2026-07-15 7.3 High
PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor._exec_inline_python() due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system() calls that bypass sandbox checks and execute arbitrary OS commands with process privileges.
CVE-2026-52840 1 Alextselegidis 1 Easyappointments 2026-07-15 2.7 Low
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Caldav::connect_to_server` at `application/controllers/Caldav.php:60` hands the request's `caldav_url` to a Guzzle `REPORT` call without scheme or host validation. A logged-in backend user (admin, provider, or secretary) reaches loopback, RFC1918, and link-local hosts on the deployment's network. The Guzzle exception path returns the upstream status code plus ~120 bytes of response body in the JSON `message` field (`Caldav.php:74-78`), so the SSRF is semi-blind. Version 1.6.0 contains a patch.
CVE-2026-49783 1 Microsoft 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more 2026-07-15 7.8 High
Improperly implemented security check for standard in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.