Vulnerabilities (CVE)

Filtered by NVD-CWE-noinfo
Total 35862 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-15066 1 Hinet 2 Gpon, Gpon Firmware 2026-06-17 10.0 HIGH 10.0 CRITICAL
An “invalid command” handler issue was discovered in HiNet GPON firmware < I040GWR190731. It allows an attacker to execute arbitrary command through port 6998. CVSS 3.0 Base score 10.0. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVE-2019-15065 1 Hinet 2 Gpon, Gpon Firmware 2026-06-17 5.0 MEDIUM 9.3 CRITICAL
A service which is hosted on port 6998 in HiNet GPON firmware < I040GWR190731 allows an attacker to execute a specific command to read arbitrary files. CVSS 3.0 Base score 9.3. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).
CVE-2019-15038 1 Jetbrains 1 Teamcity 2026-06-17 5.0 MEDIUM 7.5 HIGH
An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.
CVE-2019-15035 1 Jetbrains 1 Teamcity 2026-06-17 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could get access to potentially confidential server-level data. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
CVE-2019-15028 1 Joomla 1 Joomla\! 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
CVE-2019-15024 1 Clickhouse 1 Clickhouse 2026-06-17 4.0 MEDIUM 6.5 MEDIUM
In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.
CVE-2019-15009 1 Atlassian 2 Crucible, Fisheye 2026-06-17 4.0 MEDIUM 4.3 MEDIUM
The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.
CVE-2019-14986 1 Eq-3 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more 2026-06-17 9.3 HIGH 8.1 HIGH
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.
CVE-2019-14940 1 Spdk 1 Storage Performance Development Kit 2026-06-17 4.0 MEDIUM 6.5 MEDIUM
In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input.
CVE-2019-14939 1 Mysql Project 1 Mysql 2026-06-17 2.1 LOW 5.5 MEDIUM
An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default.
CVE-2019-14936 1 Easyappointments 1 Easy\!appointments 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash).
CVE-2019-14920 1 Billion 2 Sg600 R2, Sg600 R2 Firmware 2026-06-17 9.0 HIGH 8.8 HIGH
Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an authenticated attacker to gain root execution privileges over the device via a hidden etc_ro/web/adm/system_command.asp shell feature.
CVE-2019-14902 4 Canonical, Debian, Opensuse and 1 more 4 Ubuntu Linux, Debian Linux, Leap and 1 more 2026-06-17 5.5 MEDIUM 5.4 MEDIUM
There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.
CVE-2019-14888 2 Netapp, Redhat 6 Active Iq Unified Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more 2026-06-17 5.0 MEDIUM 7.5 HIGH
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
CVE-2019-14880 1 Moodle 1 Moodle 2026-06-17 6.4 MEDIUM 9.1 CRITICAL
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
CVE-2019-14820 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Fuse, Keycloak and 1 more 2026-06-17 4.0 MEDIUM 4.3 MEDIUM
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.
CVE-2019-14809 2 Debian, Golang 2 Debian Linux, Go 2026-06-17 7.5 HIGH 9.8 CRITICAL
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
CVE-2019-14802 1 Hashicorp 1 Nomad 2026-06-17 N/A 5.3 MEDIUM
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.
CVE-2019-14783 1 Google 1 Android 2026-06-17 2.1 LOW 5.5 MEDIUM
On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764.
CVE-2019-14773 1 Webcraftic 1 Woody Ad Snippets 2026-06-17 6.4 MEDIUM 7.5 HIGH
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.