Export limit exceeded: 352552 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 352552 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352552 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-10024 | 1 Xbmc | 1 Xbmc | 2026-05-25 | N/A |
| XBMC version 11.0 contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the intended document root. An attacker can exploit this flaw to read arbitrary files from the host filesystem, including sensitive configuration or credential files. | ||||
| CVE-2010-20042 | 2026-05-25 | N/A | ||
| Xion Audio Player versions 1.0.126 and prior are vulnerable to a Unicode-based stack buffer overflow triggered by opening a specially crafted .m3u playlist file. The file contains an overly long string that overwrites the Structured Exception Handler (SEH) chain, allowing an attacker to hijack execution flow and run arbitrary code. | ||||
| CVE-2009-20008 | 2026-05-25 | N/A | ||
| Green Dam Youth Escort version 3.17 is vulnerable to a stack-based buffer overflow when processing overly long URLs. The flaw resides in the URL filtering component, which fails to properly validate input length before copying user-supplied data into a fixed-size buffer. A remote attacker can exploit this vulnerability by enticing a user to visit a specially crafted webpage containing a long URL, resulting in arbitrary code execution. | ||||
| CVE-2026-27398 | 2 Wordpress, Wpchill | 2 Wordpress, Rsvp And Event Management | 2026-05-25 | 5.3 Medium |
| Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RSVP and Event Management: from n/a through 2.7.16. | ||||
| CVE-2026-45435 | 2 Melapress, Wordpress | 2 Wp Activity Log, Wordpress | 2026-05-25 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3. | ||||
| CVE-2026-48852 | 1 Putty | 1 Putty | 2026-05-25 | 3.7 Low |
| PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification. | ||||
| CVE-2025-62745 | 2 Pickplugins, Wordpress | 2 Team Showcase, Wordpress | 2026-05-25 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS. This issue affects Team Showcase: from n/a through 1.22.28. | ||||
| CVE-2026-9513 | 1 Totolink | 1 Ca750-poe | 2026-05-25 | 6.3 Medium |
| A weakness has been identified in Totolink CA750-PoE 6.2c.510. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument host_time can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-9511 | 1 Totolink | 1 Ca750-poe | 2026-05-25 | 6.3 Medium |
| A vulnerability was identified in Totolink CA750-PoE 6.2c.510. This affects the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument webWlanIdx leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-27346 | 2026-05-25 | 4.9 Medium | ||
| Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B2BKing: from n/a before 5.2.10. | ||||
| CVE-2026-48849 | 1 Roundcube | 1 Webmail | 2026-05-25 | 4.4 Medium |
| In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | ||||
| CVE-2026-9504 | 1 Gnu | 1 Libredwg | 2026-05-25 | 3.3 Low |
| A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue. | ||||
| CVE-2026-48845 | 1 Roundcube | 1 Webmail | 2026-05-25 | 6.5 Medium |
| In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message. | ||||
| CVE-2026-24546 | 2 Ruben Garcia, Wordpress | 2 Gamipress, Wordpress | 2026-05-25 | 5.3 Medium |
| Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3. | ||||
| CVE-2026-9501 | 1 Gnu | 1 Libredwg | 2026-05-25 | 3.3 Low |
| A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue. | ||||
| CVE-2026-9498 | 1 Dromara | 1 Lamp-cloud | 2026-05-25 | 6.3 Medium |
| A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-9497 | 1 Changmingxie | 1 Tcc-transaction | 2026-05-25 | 6.3 Medium |
| A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-9478 | 1 Totolink | 2 A8000ru, A8000ru Firmware | 2026-05-25 | 9.8 Critical |
| A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-9475 | 1 Totolink | 2 A8000ru, A8000ru Firmware | 2026-05-25 | 9.8 Critical |
| A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-9484 | 1 Sourcecodester | 1 Student Grades Management System | 2026-05-25 | 6.3 Medium |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||