Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
14,469 matching · page 68/290Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-42907(opens NVD record) | Medium | 6.5 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network. | Jun 9, 2026 |
| CVE-2026-42906(opens NVD record) | Medium | 5.5 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | Jun 9, 2026 |
| CVE-2026-42905(opens NVD record) | High | 7.8 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-42904(opens NVD record) | Critical | 9.6 | Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network. | Jun 9, 2026 |
| CVE-2026-42903(opens NVD record) | Medium | 6.5 | Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network. | Jun 9, 2026 |
| CVE-2026-42902(opens NVD record) | High | 7.8 | Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-42837(opens NVD record) | High | 7.8 | Out-of-bounds read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-42836(opens NVD record) | High | 7.0 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-42835(opens NVD record) | High | 8.1 | Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network. | Jun 9, 2026 |
| CVE-2026-42829(opens NVD record) | High | 7.8 | Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally. | Jun 9, 2026 |
| CVE-2026-42828(opens NVD record) | High | 7.8 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-42570(opens NVD record) | High | 7.5 | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1. | Jun 9, 2026 |
| CVE-2026-41108(opens NVD record) | High | 7.0 | Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-41098(opens NVD record) | High | 8.4 | Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network. | Jun 9, 2026 |
| CVE-2026-41092(opens NVD record) | High | 7.8 | Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-40409(opens NVD record) | High | 7.8 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Jun 9, 2026 |
| CVE-2026-40404(opens NVD record) | High | 7.8 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Jun 9, 2026 |
| CVE-2026-40376(opens NVD record) | High | 7.5 | Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | Jun 9, 2026 |
| CVE-2026-40371(opens NVD record) | High | 8.8 | Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network. | Jun 9, 2026 |
| CVE-2026-34335(opens NVD record) | High | 7.0 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-33828(opens NVD record) | High | 7.8 | Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally. | Jun 9, 2026 |
| CVE-2026-33113(opens NVD record) | Medium | 5.4 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | Jun 9, 2026 |
| CVE-2026-32193(opens NVD record) | High | 8.8 | Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally. | Jun 9, 2026 |
| CVE-2026-26142(opens NVD record) | Critical | 9.8 | Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network. | Jun 9, 2026 |
| CVE-2026-49938(opens NVD record) | Medium | 6.5 | A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here> | Jun 9, 2026 |
| CVE-2026-25089(opens NVD record) | Critical | 9.8 | A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests | Jun 9, 2026 |
| CVE-2026-10523(opens NVD record) | Critical | 9.9 | An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access | Jun 9, 2026 |
| CVE-2026-10520(opens NVD record) | Critical | 10.0 | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution | Jun 9, 2026 |
| CVE-2025-67862(opens NVD record) | Medium | 6.7 | An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands. | Jun 9, 2026 |
| CVE-2026-52907(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: fix off by one bugs Change these comparisons from > vs >= to avoid accessing one element beyond the end of the arrays. While at it, use ARRAY_SIZE instead of the _MAX enum values. [fix cosmetic issues] | Jun 9, 2026 |
| CVE-2026-52906(opens NVD record) | High | 7.7 | In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice. | Jun 9, 2026 |
| CVE-2026-52905(opens NVD record) | Medium | 5.5 | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two min_region_sz on damon_start() Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start(). The issue was discovered by sashiko [1]. | Jun 9, 2026 |
| CVE-2026-52904(opens NVD record) | Medium | 5.5 | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix nvkm_device leak on aperture removal failure When aperture_remove_conflicting_pci_devices() fails during probe, the error path returns directly without unwinding the nvkm_device that was just allocated by nvkm_device_pci_new(). This leaks both the device wrapper and the pci_enable_device() reference taken inside it. Jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both. The leak was introduced when the intermediate nvkm_device_del() between detection and aperture removal was dropped in favor of creating the pci device once. | Jun 9, 2026 |
| CVE-2026-46332(opens NVD record) | High | 8.0 | In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: bound bootloader receive buffering cc1352_bootloader_rx() appends each serdev chunk into the fixed rx_buffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may receive multiple packets in one callback, so a single count value is not constrained by one packet length. Check that the incoming chunk fits in the remaining receive buffer space before memcpy(). If it does not, drop the staged data and consume the bytes instead of overflowing rx_buffer. | Jun 9, 2026 |
| CVE-2026-46330(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying `struct file`, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability. Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely. | Jun 9, 2026 |
| CVE-2026-46329(opens NVD record) | Medium | 5.5 | In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed out, similar to loopback devices and that is what we expect. | Jun 9, 2026 |
| CVE-2026-46328(opens NVD record) | High | 7.3 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate. | Jun 9, 2026 |
| CVE-2026-46327(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dm_suspended_md The function dm_blk_report_zones tests if the device is suspended with the "dm_suspended_md" call. However, this function is called without holding any locks, so the device may be suspended just after it. Move the call to dm_suspended_md after dm_get_live_table, so that the device can't be suspended after the suspended state was tested. | Jun 9, 2026 |
| CVE-2026-46326(opens NVD record) | High | 8.4 | In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spi_transfer struct initialisation Make sure that the spi_transfer struct is zeroed out before use. | Jun 9, 2026 |
| CVE-2026-46325(opens NVD record) | Critical | 9.8 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory. ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned. This leads to incorrect iova-to-va conversion in scenarios: 1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000 Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong) 2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000 Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong) Yi Zhang reported a kernel panic[1] years ago related to this defect. Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access. Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/ | Jun 9, 2026 |
| CVE-2026-11793(opens NVD record) | Medium | 4.9 | A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only. | Jun 9, 2026 |
| CVE-2026-11790(opens NVD record) | Medium | 4.9 | A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service. | Jun 9, 2026 |
| CVE-2026-11789(opens NVD record) | Medium | 4.9 | A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication. | Jun 9, 2026 |
| CVE-2026-11788(opens NVD record) | Medium | 5.9 | A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure. | Jun 9, 2026 |
| CVE-2026-11787(opens NVD record) | Medium | 5.0 | A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior. | Jun 9, 2026 |
| CVE-2026-11786(opens NVD record) | Low | 1.9 | A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation. | Jun 9, 2026 |
| CVE-2026-11785(opens NVD record) | Medium | 4.3 | A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users. | Jun 9, 2026 |
| CVE-2026-46324(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use list_del_rcu for netlink hooks nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need to use list_del_rcu(), this list can be walked by concurrent dumpers. Add a new helper and use it consistently. | Jun 9, 2026 |
| CVE-2026-46323(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs. | Jun 9, 2026 |
| CVE-2026-46322(opens NVD record) | High | 7.1 | In the Linux kernel, the following vulnerability has been resolved: tun: free page on build_skb failure in tun_xdp_one() When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk. Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform. | Jun 9, 2026 |