Total
4676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-44458 | 1 Hono | 1 Hono | 2026-05-13 | N/A | 4.3 MEDIUM |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18. | |||||
| CVE-2026-33833 | 2026-05-13 | N/A | 8.2 HIGH | ||
| Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2026-8211 | 2026-05-13 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8210 | 2026-05-13 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8231 | 2026-05-13 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2015-8258 | 1 Axis | 1 Axis Communications Firmware | 2026-05-13 | 7.8 HIGH | 7.5 HIGH |
| AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability." | |||||
| CVE-2017-17535 | 1 Gjots2 Project | 1 Gjots2 | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17515 | 2 Debian, Ecmwf | 2 Debian Linux, Metview | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the code to access this environment variable is not enabled in the shipped product | |||||
| CVE-2017-15313 | 1 Huawei | 1 Smartcare | 2026-05-13 | 6.5 MEDIUM | 8.8 HIGH |
| Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An remote authenticated attacker could inject malicious CSV expression to the affected device. | |||||
| CVE-2017-17528 | 1 Scummvm | 1 Scummvm | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17514 | 2 Debian, Nip2 Project | 2 Debian Linux, Nip2 | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable | |||||
| CVE-2017-17525 | 1 Xtuple | 1 Postbooks | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17518 | 1 White Dune Project | 1 White Dune | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: This issue is being disputed as not being a vulnerability because “the current version of white_dune (1.369 at https://wdune.ourproject.org/) do not use a "BROWSER environment variable". Instead, the "browser" variable is read from the $HOME/.dunerc file (or from the M$Windows registry). It is configurable in the "options" menu. The default is chosen in the ./configure script, which tests various programs, first tested is "xdg-open". | |||||
| CVE-2017-17517 | 1 Sylpheed Project | 1 Sylpheed | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-0154 | 1 Microsoft | 3 Internet Explorer, Windows 10, Windows Server 2016 | 2026-05-13 | 5.8 MEDIUM | 4.4 MEDIUM |
| Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windows Server 2016 does not enforce cross-domain policies, allowing attackers to access information from one domain and inject it into another via a crafted application, aka, "Internet Explorer Elevation of Privilege Vulnerability." | |||||
| CVE-2017-5246 | 1 Biscom | 1 Secure File Transfer | 2026-05-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Biscom Secure File Transfer is vulnerable to AngularJS expression injection in the Display Name field. An authenticated user can populate this field with a valid AngularJS expression, wrapped in double curly-braces ({{ }}). This expression will be evaluated by any other authenticated user who views the attacker's display name. Affected versions are 5.0.0000 through 5.1.1026. The Issue is fixed in 5.1.1028. | |||||
| CVE-2017-17511 | 2 Debian, Kildclient | 2 Debian Linux, Kildclient | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| KildClient 3.1.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to prefs.c and worldgui.c. | |||||
| CVE-2017-17790 | 1 Ruby-lang | 1 Ruby | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely. | |||||
| CVE-2017-5630 | 1 Php | 1 Pear | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. | |||||
| CVE-2015-7264 | 1 Proxygen Project | 1 Proxygen | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a certain field to two bytes, which allows hijacking and injection attacks. | |||||