Export limit exceeded: 352665 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 352665 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352665 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25379 | 1 Ourenergy | 1 Collectric Cmu | 2026-05-26 | 8.2 High |
| Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques. | ||||
| CVE-2018-25381 | 2 Almera Responsive Portfolio Project, Extro | 2 Almera Responsive Portfolio, Responsive Portfolio | 2026-05-26 | 7.1 High |
| Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details. | ||||
| CVE-2026-9473 | 1 C-rick | 1 Jimeng-mcp | 2026-05-26 | 6.3 Medium |
| A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-44598 | 1 Apache | 1 Shiro | 2026-05-26 | N/A |
| With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie. | ||||
| CVE-2026-24545 | 2 Nikki Blight, Wordpress | 2 Qr Redirector, Wordpress | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | ||||
| CVE-2026-24582 | 2 Wordpress, Wppool | 2 Wordpress, Flextable | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | ||||
| CVE-2026-24592 | 2 Lucian Apostol, Wordpress | 2 Auto Affiliate Links, Wordpress | 2026-05-26 | 5.3 Medium |
| Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Auto Affiliate Links: from n/a through 6.8.8.3. | ||||
| CVE-2026-24527 | 2 Patterns In The Cloud, Wordpress | 2 Autoship Cloud For Woocommerce Subscription Products, Wordpress | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0. | ||||
| CVE-2026-39436 | 2 Bgermann, Wordpress | 2 Cformsii, Wordpress | 2026-05-26 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3. | ||||
| CVE-2026-45209 | 2 Edward Plainview, Wordpress | 2 Mycryptocheckout, Wordpress | 2026-05-26 | 7.5 High |
| Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161. | ||||
| CVE-2026-42763 | 2 Sepay Team, Wordpress | 2 Sepay Gateway, Wordpress | 2026-05-26 | 6.5 Medium |
| Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20. | ||||
| CVE-2026-32389 | 2 Linethemes, Wordpress | 2 Nanocare, Wordpress | 2026-05-26 | 5.4 Medium |
| Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2. | ||||
| CVE-2026-42496 | 1 Bingos | 1 Archive::tar | 2026-05-26 | N/A |
| Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path. | ||||
| CVE-2026-42497 | 1 Bingos | 1 Archive::tar | 2026-05-26 | N/A |
| Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone. | ||||
| CVE-2026-9538 | 1 Bingos | 1 Archive::tar | 2026-05-26 | N/A |
| Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size. | ||||
| CVE-2025-71310 | 1 Backdropcms | 1 Gdpr Cookies Module For Backdrop Cms | 2026-05-26 | N/A |
| The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration. | ||||
| CVE-2026-48850 | 1 Putty | 1 Putty | 2026-05-26 | 3.7 Low |
| PuTTY 0.72 before 0.84 has a double free in RSA KEX. | ||||
| CVE-2026-39661 | 2 Magentech, Wordpress | 2 Sw Core, Wordpress | 2026-05-26 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18. | ||||
| CVE-2026-39642 | 2 Spabrice, Wordpress | 2 Nyla, Wordpress | 2026-05-26 | 5.3 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7. | ||||
| CVE-2026-27427 | 2 Dylan Kuhn, Wordpress | 2 Geo Mashup, Wordpress | 2026-05-26 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18. | ||||