Filtered by vendor Vmware
Subscribe
Total
972 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-40968 | 1 Vmware | 1 Spring Grpc | 2026-04-30 | N/A | 4.2 MEDIUM |
| When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected. | |||||
| CVE-2026-40969 | 1 Vmware | 1 Spring Grpc | 2026-04-30 | N/A | 3.7 LOW |
| The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected. | |||||
| CVE-2026-40967 | 1 Vmware | 1 Spring Ai | 2026-04-29 | N/A | 8.6 HIGH |
| In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | |||||
| CVE-2026-40966 | 1 Vmware | 1 Spring Ai | 2026-04-29 | N/A | 5.9 MEDIUM |
| In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected. | |||||
| CVE-2026-40978 | 1 Vmware | 1 Spring Ai | 2026-04-29 | N/A | 8.8 HIGH |
| SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | |||||
| CVE-2026-40979 | 1 Vmware | 1 Spring Ai | 2026-04-29 | N/A | 6.1 MEDIUM |
| In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | |||||
| CVE-2026-40980 | 1 Vmware | 1 Spring Ai | 2026-04-29 | N/A | 6.5 MEDIUM |
| In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | |||||
| CVE-2010-1140 | 2 Microsoft, Vmware | 3 Windows, Player, Workstation | 2026-04-29 | 6.9 MEDIUM | N/A |
| The USB service in VMware Workstation 7.0 before 7.0.1 build 227600 and VMware Player 3.0 before 3.0.1 build 227600 on Windows might allow host OS users to gain privileges by placing a Trojan horse program at an unspecified location on the host OS disk. | |||||
| CVE-2013-3519 | 1 Vmware | 5 Esx, Esxi, Fusion and 2 more | 2026-04-29 | 7.9 HIGH | N/A |
| lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x before 5.0.3, VMware Fusion 5.x before 5.0.4, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1, when a 32-bit Windows guest OS is used, allows guest OS users to gain guest OS privileges via an application that performs a crafted memory allocation. | |||||
| CVE-2010-1139 | 2 Linux, Vmware | 6 Linux Kernel, Fusion, Player and 3 more | 2026-04-29 | 7.2 HIGH | N/A |
| Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata. | |||||
| CVE-2011-1787 | 1 Vmware | 5 Esx, Esxi, Fusion and 2 more | 2026-04-29 | 6.9 MEDIUM | N/A |
| Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory. | |||||
| CVE-2012-6325 | 1 Vmware | 1 Vcenter Server Appliance | 2026-04-29 | 4.0 MEDIUM | N/A |
| VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors. | |||||
| CVE-2010-2798 | 7 Avaya, Canonical, Debian and 4 more | 15 Aura Communication Manager, Aura Presence Services, Aura Session Manager and 12 more | 2026-04-29 | 7.2 HIGH | 7.8 HIGH |
| The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. | |||||
| CVE-2012-1512 | 1 Vmware | 1 Vsphere | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry. | |||||
| CVE-2012-1508 | 1 Vmware | 3 Esx, Esxi, View | 2026-04-29 | 7.2 HIGH | N/A |
| The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. | |||||
| CVE-2009-2277 | 1 Vmware | 2 Esx Server, Virtualcenter | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "context data." | |||||
| CVE-2011-1786 | 2 Likewise, Vmware | 3 Likewise Open, Esx, Esxi | 2026-04-29 | 5.0 MEDIUM | N/A |
| lsassd in Likewise Open /Enterprise 5.3 before build 7845, Open 6.0 before build 8325, and Enterprise 6.0 before build 178, as distributed in VMware ESXi 4.1 and ESX 4.1 and possibly other products, allows remote attackers to cause a denial of service (daemon crash) via an Active Directory login attempt that provides a username containing an invalid byte sequence. | |||||
| CVE-2013-1661 | 1 Vmware | 2 Esx, Esxi | 2026-04-29 | 4.3 MEDIUM | N/A |
| VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to cause a denial of service (unhandled exception and application crash) by modifying the client-server data stream. | |||||
| CVE-2012-1518 | 1 Vmware | 5 Esx, Esxi, Fusion and 2 more | 2026-04-29 | 8.3 HIGH | N/A |
| VMware Workstation 8.x before 8.0.2, VMware Player 4.x before 4.0.2, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 use an incorrect ACL for the VMware Tools folder, which allows guest OS users to gain guest OS privileges via unspecified vectors. | |||||
| CVE-2010-2066 | 4 Canonical, Linux, Suse and 1 more | 6 Ubuntu Linux, Linux Kernel, Linux Enterprise High Availability Extension and 3 more | 2026-04-29 | 2.1 LOW | 5.5 MEDIUM |
| The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. | |||||