Search
7,815 CVEs · Medium severity
CVEs (7,815, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 1–25 of 7,815 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-46361 | MEDIUM | Patched | 6.9 | 2026-05-15 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, d… |
| CVE-2026-37503 | MEDIUM | Patched | 6.9 | 2026-05-01 | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.bl… |
| CVE-2026-41238 | MEDIUM | 6.9 | 2026-04-23 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. Whe… | |
| CVE-2026-41527 | MEDIUM | Patched | 6.9 | 2026-04-21 | KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ens… |
| CVE-2026-41253 | MEDIUM | Patched | 6.9 | 2026-04-18 | In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is va… |
| CVE-2026-39963 | MEDIUM | Patched | 6.9 | 2026-04-15 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_H… |
| CVE-2026-37980 | MEDIUM | 6.9 | 2026-04-14 | A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileg… | |
| CVE-2026-40446 | MEDIUM | 6.9 | 2026-04-13 | Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115… | |
| CVE-2026-28553 | MEDIUM | 6.9 | 2026-04-13 | Vulnerability of improper permission control in the theme setting module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |
| CVE-2026-34530 | MEDIUM | Patched | 6.9 | 2026-04-01 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA in… |
| CVE-2026-32041 | MEDIUM | Patched | 6.9 | 2026-03-19 | OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without aut… |
| CVE-2026-11218 | MEDIUM | Patched | 6.8 | 2026-06-04 | Inappropriate implementation in PlatformIntegration in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific … |
| CVE-2026-11166 | MEDIUM | Patched | 6.8 | 2026-06-04 | Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (C… |
| CVE-2026-36175 | MEDIUM | 6.8 | 2026-06-04 | An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence … | |
| CVE-2026-50206 | MEDIUM | Patched | 6.8 | 2026-06-04 | Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files. |
| CVE-2026-7764 | MEDIUM | 6.8 | 2026-06-04 | An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attack… | |
| CVE-2025-15653 | MEDIUM | 6.8 | 2026-06-02 | Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical … | |
| CVE-2026-0086 | MEDIUM | 6.8 | 2026-06-01 | In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privile… | |
| CVE-2026-0048 | MEDIUM | 6.8 | 2026-06-01 | In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of… | |
| CVE-2026-45810 | MEDIUM | Patched | 6.8 | 2026-06-01 | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a re… |
| CVE-2026-9673 | MEDIUM | Patched | 6.8 | 2026-05-28 | Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can i… |
| CVE-2026-9802 | MEDIUM | 6.8 | 2026-05-28 | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This … | |
| CVE-2026-44247 | MEDIUM | Patched | 6.8 | 2026-05-27 | Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP re… |
| CVE-2026-48545 | MEDIUM | Patched | 6.8 | 2026-05-27 | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-le… |
| CVE-2026-9617 | MEDIUM | Patched | 6.8 | 2026-05-27 | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If… |