Export limit exceeded: 361796 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361796 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361796 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10823 | 2 Wordpress, Ymc Filter | 2 Wordpress, Ymc Filter | 2026-06-29 | 7.5 High |
| The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied query parameter, allowing unauthenticated attackers to retrieve the titles and content of private, draft, and other non-public posts. | ||||
| CVE-2026-10835 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2026-06-29 | 7.7 High |
| The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks. | ||||
| CVE-2026-49486 | 1 Apache | 1 Airflow Ftp Provider | 2026-06-29 | 7.5 High |
| The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel. | ||||
| CVE-2026-11625 | 1 Davido | 1 Bytes::random::secure | 2026-06-29 | 7.5 High |
| Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes. | ||||
| CVE-2026-11702 | 1 Davido | 1 Bytes::random::secure::tiny | 2026-06-29 | 7.5 High |
| Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes. | ||||
| CVE-2026-57912 | 1 Johnson & Johnson | 1 Campus Recruiting | 2026-06-29 | 7.5 High |
| Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers. | ||||
| CVE-2026-57913 | 1 Johnson & Johnson | 1 Audit Tracking Management System | 2026-06-29 | 7.5 High |
| Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts. | ||||
| CVE-2025-7958 | 1 Trellix | 1 Network Security | 2026-06-29 | N/A |
| A Code Injection vulnerability existed in Trellix Network Security CM and NX. A locally authenticated admin user can execute arbitrary code using the web interface and Alert artifact details. | ||||
| CVE-2026-57473 | 1 Reolink | 1 Home Hub | 2026-06-29 | N/A |
| A vulnerability exists in the netclient and factory services of Reolink Home Hub (versions prior to v3.3.0.456_26031911) due to the possibility of brute-force cracking the credentials. This issue could allow attackers on the same local network to intercept traffic between the Hub and associated cameras and compromise the credentials of connected cameras. | ||||
| CVE-2026-57920 | 1 Peplink | 1 Incontrol | 2026-06-29 | 7.7 High |
| Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints. | ||||
| CVE-2026-13426 | 1 Mattermost | 1 Mattermost Server | 2026-06-29 | 5.4 Medium |
| The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532 | ||||
| CVE-2026-57527 | 1 Zaproxy | 1 Zap-extensions | 2026-06-29 | 8.8 High |
| Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel. | ||||
| CVE-2025-63041 | 2 Codeamp, Wordpress | 2 Forget About Shortcode Buttons, Wordpress | 2026-06-29 | 5.4 Medium |
| Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. | ||||
| CVE-2025-63078 | 2 Jetmonsters, Wordpress | 2 Restaurant Menu By Motopress, Wordpress | 2026-06-29 | 4.3 Medium |
| Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions. | ||||
| CVE-2025-63079 | 2 Bdthemes, Wordpress | 2 Live Copy Paste For Elementor, Wordpress | 2026-06-29 | 4.3 Medium |
| Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions. | ||||
| CVE-2025-64636 | 2 Rhewlif, Wordpress | 2 Donation Thermometer, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions. | ||||
| CVE-2025-64637 | 2 Opal Wp, Wordpress | 2 Auros Core, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Content Injection in Auros Core <= 5.3.1 versions. | ||||
| CVE-2025-66123 | 2 About Envato, Wordpress | 2 Bookpro, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions. | ||||
| CVE-2025-68063 | 2 Stylemixthemes, Wordpress | 2 Splash - Sport Club Wordpress Theme For Basketball, Football, Hockey, Wordpress | 2026-06-29 | 7.5 High |
| Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions. | ||||
| CVE-2025-68064 | 2 Everthemess, Wordpress | 2 Goya Core, Wordpress | 2026-06-29 | 7.5 High |
| Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions. | ||||