Export limit exceeded: 353009 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (353009 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42738 | 2026-05-27 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | ||||
| CVE-2026-42737 | 2026-05-27 | 8.6 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | ||||
| CVE-2026-42736 | 2026-05-27 | 7.5 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16. | ||||
| CVE-2018-25372 | 1 Meddream | 1 Pacs Premium | 2026-05-27 | 8.2 High |
| MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database. | ||||
| CVE-2018-25377 | 1 Socusoft | 1 Flash Slideshow Maker | 2026-05-27 | 8.4 High |
| Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload and paste it into the Name and Code fields of the Help > Register dialog to trigger a reverse shell with system privileges. | ||||
| CVE-2026-24937 | 2 Videowhisper, Wordpress | 2 Broadcast Live Video, Wordpress | 2026-05-27 | 7.2 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3. | ||||
| CVE-2026-42776 | 2 Sunshinephotocart, Wordpress | 2 Sunshine Photo Cart, Wordpress | 2026-05-27 | 6.3 Medium |
| Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through 3.6.7. | ||||
| CVE-2026-40812 | 3 Helmholz, Mb Connect Line, Mbconnectline | 9 Myrex24.virtual, Myrex24 V2, Myrex24v2 and 6 more | 2026-05-27 | 7.5 High |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | ||||
| CVE-2026-40817 | 3 Helmholz, Mb Connect Line, Mbconnectline | 9 Myrex24.virtual, Myrex24 V2, Myrex24v2 and 6 more | 2026-05-27 | 7.5 High |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | ||||
| CVE-2026-40821 | 3 Helmholz, Mb Connect Line, Mbconnectline | 9 Myrex24.virtual, Myrex24 V2, Myrex24v2 and 6 more | 2026-05-27 | 4.9 Medium |
| A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | ||||
| CVE-2026-40811 | 3 Helmholz, Mb Connect Line, Mbconnectline | 9 Myrex24.virtual, Myrex24 V2, Myrex24v2 and 6 more | 2026-05-27 | 7.5 High |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | ||||
| CVE-2025-0898 | 2026-05-27 | 6.5 Medium | ||
| The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2026-45837 | 1 Linux | 1 Linux Kernel | 2026-05-27 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() - returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA. | ||||
| CVE-2025-26570 | 1 Wordpress | 1 Wordpress | 2026-05-27 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. | ||||
| CVE-2025-26569 | 1 Wordpress | 1 Wordpress | 2026-05-27 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. | ||||
| CVE-2026-25444 | 2 Magepeopleteam, Wordpress | 2 Wpbookingly, Wordpress | 2026-05-27 | 4.3 Medium |
| Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | ||||
| CVE-2026-24520 | 2 Bplugins, Wordpress | 2 Tiktok Feed Plugin, Wordpress | 2026-05-27 | 4.3 Medium |
| Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | ||||
| CVE-2026-48999 | 1 Zte | 1 Zxunipos Nds-lte | 2026-05-27 | 5.7 Medium |
| Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks. | ||||
| CVE-2026-48903 | 1 Joomla | 1 Joomla\! | 2026-05-27 | 6.1 Medium |
| Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | ||||
| CVE-2026-35220 | 2026-05-27 | N/A | ||
| Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | ||||