Search Results (85562 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69130 2 Themovation, Wordpress 2 Entrepreneur - Booking For Small Businesses Wordpress Theme, Wordpress 2026-06-20 8.8 High
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
CVE-2025-69144 2 Themerex, Wordpress 2 Preservation, Wordpress 2026-06-20 8.1 High
Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.
CVE-2025-69164 2 Themerex, Wordpress 2 Skyward, Wordpress 2026-06-20 8.1 High
Unauthenticated Local File Inclusion in Skyward <= 1.10 versions.
CVE-2025-69170 2 Themerex, Wordpress 2 Eventicity, Wordpress 2026-06-20 8.1 High
Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.
CVE-2025-69175 2 Themerex, Wordpress 2 Line Agency, Wordpress 2026-06-20 8.1 High
Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions.
CVE-2026-39445 2 Presslayouts, Wordpress 2 Alukas, Wordpress 2026-06-20 8.1 High
Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.
CVE-2026-39559 2 Codesupplyco, Wordpress 2 Uppercase, Wordpress 2026-06-20 8.1 High
Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.
CVE-2026-40738 2 Edge-themes, Wordpress 2 Eldon, Wordpress 2026-06-20 8.1 High
Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.
CVE-2026-40752 2 Select-themes, Wordpress 2 Manufaktur Solutions, Wordpress 2026-06-20 8.1 High
Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions.
CVE-2025-69128 2 Emv, Wordpress 2 Jobcareer, Wordpress 2026-06-20 8.6 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3.
CVE-2025-69189 2 Emv, Wordpress 2 Jobbank, Wordpress 2026-06-20 7.3 High
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3.
CVE-2026-54810 2 Nexi Payments, Wordpress 2 Nexi Xpay, Wordpress 2026-06-20 7.5 High
Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.
CVE-2025-71322 2 Mmaitre314, Picklescan 2 Picklescan, Picklescan 2026-06-20 8.8 High
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
CVE-2026-10696 1 Devolutions 1 Unigetui 2026-06-20 7.5 High
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
CVE-2026-11407 1 Pimcore 1 Pimcore 2026-06-20 7.2 High
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.
CVE-2026-48979 1 Php-standard-library 2 Php-standard-library, Php-standard-library/h2 2026-06-20 7.5 High
PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 ยง8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.
CVE-2026-50194 1 Steeltoeoss 2 Steeltoe.management.endpoint, Steeltoe.management.endpointcore 2026-06-20 8.2 High
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.
CVE-2026-8050 1 Signalrgb 1 Signalrgb Kernel Driver 2026-06-20 7.5 High
In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash.
CVE-2026-50196 1 Steeltoeoss 1 Steeltoe.discovery.eureka 2026-06-20 7.5 High
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.
CVE-2026-50200 1 Steeltoeoss 2 Steeltoe.management.endpoint, Steeltoe.management.endpointcore 2026-06-20 7.5 High
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.