3541 matches found
CVE-2026-61465
ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply a crafted image that causes ImageMagick to allocate more memory than permitted by the configured policy, resulting in a denial of...
CVE-2026-57216 RabbitMQ: AMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, AMQP 0-9-1, AMQP 1.0, and Stream Protocol authentication can allow a loopback-restricted user such as guest to connect remotely when traffic is accepted through a trusted PROXY-protocol path and the backend...
EUVD-2026-42869
Dell PowerFlex Manager, Version prior to 5.1.0.1, contains an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure...
CVE-2026-54004
CVE-2026-54004 affects Kirby CMS. Prior to version 4.9.4 and 5.4.4, when content.fileRedirects is enabled, clean file URLs for files stored in top-level draft pages could be redirected to physical media URLs without verifying draft page permissions or preview tokens, potentially disclosing draft ...
Slackware Linux 15.0 / current xorg-server Multiple Vulnerabilities (SSA:2026-189-03)
The version of xorg-server installed on the remote host is prior to 1.20.14 / 21.1.24 / 21.1.4 / 24.1.13. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-189-03 advisory. New xorg-server packages are available for Slackware 15.0 and -current to fix security...
CVE-2026-59820
LiteLLM is a proxy AI gateway. A path traversal flaw existed in LiteLLM Skills archive extraction prior to version 1.83.7-stable, where uploaded skill ZIPs could write outside the intended extraction directory when an authenticated user accessed LLM API routes or held a key with /v1/skills, anthr...
EUVD-2026-42305
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...
CVE-2026-55417 Chevereto private profile setting leaks username on /json endpoint
Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route /username correctly returns 404. However, the /json AJAX listing endpoint does not apply the same check. An...
CVE-2026-14868
The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gai...
CVE-2026-53643
FOSSBilling (free/open-source billing and client management system) is affected in versions prior to 0.8.0. The vulnerability arises from a combination of a can_always_access module flag that grants broad access to certain modules and insufficient permission checks or unsafe parameter handling on...
CVE-2026-9181
Esri ArcGIS Server contains a directory traversal vulnerability. ArcGIS Enterprise on Kubernetes is not impacted. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow overwriting sensitive files on the system. Abuse of this...
CVE-2026-9181
Esri ArcGIS Server contains a directory traversal vulnerability. ArcGIS Enterprise on Kubernetes is not impacted. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow overwriting sensitive files on the system. Abuse of this...
CVE-2025-53830
CVE-2025-53830 affects Anti-Virus for ownCloud prior to version 1.2.3 and corresponding ownCloud 10 releases prior to 10.15.3. The issue is a Server-Side Request Forgery (SSRF) vulnerability that could be exploited within the anti-virus integration for file storage, synchronization, and sharing. ...
PT-2026-55967
Name of the Vulnerable Software and Affected Versions ArcGIS Server versions prior to 12.1 Description An unauthenticated attacker can exploit a directory traversal issue by sending crafted path parameters. This allows the attacker to access sensitive files on the system. Directory traversal is a...
CVE-2026-26307
CVE-2026-26307 affects Gitea versions before 1.25.5. The vulnerability arises because the git grep searches do not enforce a timeout, allowing expensive searches to consume server resources and cause a DoS condition. Affected component: the Git subsystem within Gitea (as noted in multiple sources...
CVE-2026-50279
Craft CMS is a content management system CMS. IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author...
Linux Distros Unpatched Vulnerability : CVE-2026-14390
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page...
DEBIAN-CVE-2026-14430
Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
DEBIAN-CVE-2026-14404
Inappropriate implementation in PDFium in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted PDF file. Chromium security severity: Medium...
CVE-2026-58029
CVE-2026-58029 affects Wikimedia Foundation MediaWiki and enables a full account takeover via BotPasswords and OAuth through action=changeauthenticationdata. Affected versions are MediaWiki: before 1.46.0, 1.45.4, 1.44.6, 1.43.9. The issue involves the API and Special pages: ApiChangeAuthenticati...