Total
13866 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48643 | 1 Google | 1 Android | 2026-06-18 | 7.8 High |
| In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-46910 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2026-06-18 | 9.1 Critical |
| Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). | ||||
| CVE-2026-12465 | 1 Google | 1 Chrome | 2026-06-18 | 8.3 High |
| Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-46786 | 1 Oracle | 1 Webcenter Content | 2026-06-18 | 9.6 Critical |
| Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | ||||
| CVE-2026-12453 | 1 Google | 1 Chrome | 2026-06-18 | 4.2 Medium |
| Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-12456 | 1 Google | 1 Chrome | 2026-06-18 | 4.2 Medium |
| Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High) | ||||
| CVE-2026-33000 | 1 Ubiquiti | 1 Unifi Os | 2026-06-18 | 9.1 Critical |
| A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | ||||
| CVE-2026-35433 | 1 Microsoft | 1 .net | 2026-06-17 | 7.3 High |
| Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2026-48922 | 2 Jenkins, Jenkins Project | 2 Credentials Binding, Jenkins Credentials Binding Plugin | 2026-06-17 | 7.5 High |
| Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | ||||
| CVE-2026-0142 | 1 Google | 1 Android | 2026-06-16 | 3.3 Low |
| In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-46001 | 1 Linux | 1 Linux Kernel | 2026-06-16 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure. | ||||
| CVE-2026-12191 | 1 Comma Ai | 1 Openpilot | 2026-06-15 | 7.8 High |
| A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-50628 | 1 Apache | 1 Cxf | 2026-06-15 | 9.8 Critical |
| A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | ||||
| CVE-2026-47181 | 1 Penguinmod | 1 Penguinmod-backendapi | 2026-06-15 | N/A |
| PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0. | ||||
| CVE-2025-25005 | 1 Microsoft | 5 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 2 more | 2026-06-15 | 6.5 Medium |
| Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network. | ||||
| CVE-2025-59248 | 1 Microsoft | 7 Exchange, Exchange Server, Exchange Server 2016 and 4 more | 2026-06-15 | 7.5 High |
| Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64666 | 1 Microsoft | 5 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 2 more | 2026-06-15 | 7.5 High |
| Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-54133 | 1 Jmespath | 2 Jmespath, Jmespath.php | 2026-06-15 | 9.8 Critical |
| jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime. | ||||
| CVE-2026-11280 | 2 Apple, Google | 2 Iphone Os, Chrome | 2026-06-15 | 4.3 Medium |
| Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-47928 | 1 Adobe | 1 Coldfusion | 2026-06-15 | 9.6 Critical |
| ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | ||||