Export limit exceeded: 353009 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 353009 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (353009 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-46431 | 1 Xyproto | 1 Algernon | 2026-05-27 | 4.3 Medium |
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7. | ||||
| CVE-2026-48901 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | ||||
| CVE-2026-30894 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| Lack of output escaping leads to a XSS vector in the content history component. | ||||
| CVE-2026-48898 | 1 Joomla | 2 Joomla!, Joomla\! | 2026-05-27 | 9.8 Critical |
| An improper access check allows privilege escalation through the com_users batch task. | ||||
| CVE-2026-30895 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| Lack of output escaping leads to a XSS vector in the readmore links for com_content. | ||||
| CVE-2026-48904 | 1 Joomla | 2 Joomla!, Joomla\! | 2026-05-27 | 9.8 Critical |
| An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | ||||
| CVE-2026-25900 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| Lack of output escaping leads to a XSS vector in the feed modules. | ||||
| CVE-2026-35223 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| An improper access check allows unauthorized access to com_config webservice endpoints. | ||||
| CVE-2026-48902 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | ||||
| CVE-2026-48900 | 1 Joomla | 2 Joomla!, Joomla\! | 2026-05-27 | 4.3 Medium |
| An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | ||||
| CVE-2026-48899 | 1 Joomla | 2 Joomla!, Joomla\! | 2026-05-27 | 9.8 Critical |
| An improper access check allows privilege escalation through the com_users batch task. | ||||
| CVE-2026-48126 | 1 Xyproto | 1 Algernon | 2026-05-27 | 8.2 High |
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8. | ||||
| CVE-2026-25901 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| Lack of output escaping leads to a XSS vector in the multilingual associations component. | ||||
| CVE-2026-48897 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| Insufficient state checks lead to a vector that allows to bypass 2FA checks. | ||||
| CVE-2026-48905 | 1 Joomla | 2 Joomla! Framework Filter Package, Joomla\! | 2026-05-27 | 6.1 Medium |
| Lack of input filtering leads to an XSS vector in the HTML filter code. | ||||
| CVE-2026-40384 | 1 Joomla | 1 Joomla! | 2026-05-27 | N/A |
| An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | ||||
| CVE-2026-42756 | 2026-05-27 | 9.9 Critical | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly: from n/a through <= 3.2.7. | ||||
| CVE-2026-42755 | 2026-05-27 | 9.3 Critical | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.This issue affects TableOn: from n/a through <= 1.0.5.1. | ||||
| CVE-2026-42754 | 2026-05-27 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46. | ||||
| CVE-2026-42739 | 2026-05-27 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7. | ||||