Export limit exceeded: 339569 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 339569 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339569 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25548 | 1 Bluestacks | 1 Bluestacks | 2026-03-23 | 6.2 Medium |
| BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to the search field. Attackers can paste a buffer of 100,000 'A' characters into the search field and trigger a search operation to cause the application to crash. | ||||
| CVE-2019-25554 | 2 Ether Software, Tomabo | 2 Easy Video To Mp4 Converter, Mp4 Converter | 2026-03-23 | 5.5 Medium |
| Tomabo MP4 Converter 3.25.22 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can trigger a buffer overflow by pasting a large payload into the Name parameter when adding a preset in the Video/Audio Formats options, causing the application to crash when Reset All is clicked. | ||||
| CVE-2019-25560 | 1 Lyricvideocreator | 1 Lyric Video Creator | 2026-03-23 | 7.5 High |
| Lyric Video Creator 2.1 contains a denial of service vulnerability that allows attackers to crash the application by processing malformed MP3 files. Attackers can create a crafted MP3 file with an oversized buffer and trigger the crash by opening the file through the Browse song functionality. | ||||
| CVE-2019-25566 | 1 Acutesystems | 1 Transmac | 2026-03-23 | 6.2 Medium |
| TransMac 12.3 contains a buffer overflow vulnerability in the volume name field that allows local attackers to crash the application by supplying an excessively long string. Attackers can create a malicious file with 1000 repeated characters, paste the content into the volume name field during disk image creation, and trigger an application crash. | ||||
| CVE-2019-25572 | 1 Nordvpn | 1 Nordvpn | 2026-03-23 | 6.2 Medium |
| NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the email input field. Attackers can paste a buffer of 100,000 characters into the email field during login to trigger an application crash. | ||||
| CVE-2026-4516 | 1 Foundation Agents | 1 Metagpt | 2026-03-23 | 6.3 Medium |
| A vulnerability was found in Foundation Agents MetaGPT up to 0.8.1. This vulnerability affects unknown code of the file metagpt/actions/di/write_analysis_code.py of the component DataInterpreter. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-33071 | 2 Error311, Filerise | 2 Filerise, Filerise | 2026-03-23 | 4.3 Medium |
| FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0. | ||||
| CVE-2026-4536 | 1 Acrel | 1 Environmental Monitoring Cloud Platform | 2026-03-23 | 7.3 High |
| A vulnerability was found in Acrel Environmental Monitoring Cloud Platform 1.1.0. This issue affects some unknown processing. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2019-25584 | 1 Raimersoft | 1 Rarmaradio | 2026-03-23 | 6.2 Medium |
| RarmaRadio 2.72.3 contains a buffer overflow vulnerability in the Server field of the Network settings that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a malicious payload exceeding 4000 bytes into the Server field via the Settings menu to trigger an application crash. | ||||
| CVE-2026-4541 | 1 Janmojzis | 1 Tinyssh | 2026-03-23 | 2.5 Low |
| A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB. | ||||
| CVE-2026-33070 | 2 Error311, Filerise | 2 Filerise, Filerise | 2026-03-23 | 3.7 Low |
| FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. The POST /api/file/deleteShareLink.php endpoint calls FileController::deleteShareLink() which performs no authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. This issue is fixed in version 3.8.0. | ||||
| CVE-2026-4115 | 1 Putty | 1 Putty | 2026-03-23 | 3.7 Low |
| A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact. | ||||
| CVE-2026-33069 | 1 Pjsip | 2 Pjproject, Pjsip | 2026-03-23 | 7.5 High |
| PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17. | ||||
| CVE-2019-25590 | 1 Labf | 1 Axessh | 2026-03-23 | 6.2 Medium |
| Axessh 4.2 contains a denial of service vulnerability in the logging configuration that allows local attackers to crash the application by supplying an excessively long string in the log file name field. Attackers can enable session logging, paste a buffer of 500 or more characters into the log file name parameter, and trigger a crash when establishing a telnet connection. | ||||
| CVE-2019-25596 | 2 Nsasoft, Nsauditor | 2 Spotauditor, Spotauditor | 2026-03-23 | 6.2 Medium |
| SpotAuditor 5.2.6 contains a denial of service vulnerability in the registration dialog that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 repeated characters into the Name input during registration to trigger an application crash. | ||||
| CVE-2026-33067 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-03-23 | 9.0 Critical |
| SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1. | ||||
| CVE-2026-33066 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-03-23 | 9.0 Critical |
| SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1. | ||||
| CVE-2019-25602 | 1 Gsearch | 1 Gsearch | 2026-03-23 | 5.5 Medium |
| GSearch 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting an excessively long string in the search bar. Attackers can paste a buffer of 2000 characters into the search field, click search, and select any result to trigger an application crash. | ||||
| CVE-2026-32701 | 2 Qwik, Qwikdev | 2 Qwik, Qwik | 2026-03-23 | 7.5 High |
| Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2. | ||||
| CVE-2026-21992 | 1 Oracle | 2 Identity Manager, Web Services Manager | 2026-03-23 | 9.8 Critical |
| Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||