VYPR

CVEs

100,082 total · page 72 of 2,002

  • CVE-2026-43476HigMay 13, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to…

  • CVE-2026-42945HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.61

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1,…

  • CVE-2026-42930HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-42924HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-42920HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-42409HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of…

  • CVE-2026-42406HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.     Note: Software versions which have reached End of…

  • CVE-2026-42290HigMay 13, 2026
    risk 0.51cvss 7.8epss 0.00

    protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted…

  • CVE-2026-42266HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.01

    JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced…

  • CVE-2026-41957HigMay 13, 2026
    risk 0.57cvss 8.8epss 0.01

    An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-41956HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-41953HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support…

  • CVE-2026-41227HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support…

  • CVE-2026-41218HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software…

  • CVE-2026-41217HigMay 13, 2026
    risk 0.51cvss 7.9epss 0.00

    A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit…

  • CVE-2026-40698HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation.  Note:…

  • CVE-2026-40631HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40629HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40618HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management…

  • CVE-2026-40423HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40067HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40061HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges.…

  • CVE-2026-40060HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-39459HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.00

    A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of…

  • CVE-2026-39458HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-39455HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors.  Note: Software versions which have reached End of Technical…

  • CVE-2026-36741HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.02

    U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject…

  • CVE-2026-34176HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.01

    When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.   Note: Software versions which have reached End of Technical…

  • CVE-2026-32673HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the…

  • CVE-2026-32643HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical…

  • CVE-2026-20916HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.00

    An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-28344HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function AuxJack.

  • CVE-2025-28343HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function ThreadReadButtons.

  • CVE-2024-55045HigMay 13, 2026
    risk 0.47cvss 7.3epss 0.00

    Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via the task_mavobc_entry function at /comm/task_comm.c.

  • CVE-2020-37226HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2020-37224HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2020-37223HigMay 13, 2026
    risk 0.51cvss 7.8epss 0.00

    IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory and…

  • CVE-2020-37222HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.00

    Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and…

  • CVE-2020-37221HigMay 13, 2026
    risk 0.55cvss 8.4epss 0.00

    Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration. Attackers can craft a buffer with structured exception handling…

  • CVE-2020-37220HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the…

  • CVE-2020-37219HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files…

  • CVE-2020-37218HigMay 13, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL…

  • CVE-2026-4609HigMay 13, 2026
    risk 0.39cvss 7.1epss 0.00

    The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers,…

  • CVE-2026-39806HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.01

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the…

  • CVE-2026-39803HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied…

  • CVE-2026-37430HigMay 13, 2026
    risk 0.47cvss 7.3epss 0.00

    An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2026-6177HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.00

    The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's…

  • CVE-2026-3425HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.01

    The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and…

  • CVE-2026-35506HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.01

    ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed.

  • CVE-2026-6276HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first…