Export limit exceeded: 351329 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351329 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6050 | 2026-05-16 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2026-46728 | 1 Denx | 1 U-boot | 2026-05-16 | 8.2 High |
| Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash. | ||||
| CVE-2026-46719 | 2026-05-16 | N/A | ||
| Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | ||||
| CVE-2021-47974 | 2 Vxsearch, Webberzone | 2 Vx Search, Better Search | 2026-05-16 | 7.8 High |
| VX Search 13.5.28 contains an unquoted service path vulnerability in both VX Search Server and VX Search Enterprise services that allows local attackers to escalate privileges. Attackers can place malicious executables in unquoted path directories like C:\Program Files\VX Search to execute arbitrary code with LocalSystem privileges when services restart. | ||||
| CVE-2021-47975 | 2 Wordpress, Wplearnmanager | 2 Wordpress, Wp Learn Manager | 2026-05-16 | 7.2 High |
| WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface. | ||||
| CVE-2020-37247 | 1 Kite | 1 Kite | 2026-05-16 | 7.8 High |
| Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts. | ||||
| CVE-2020-37236 | 1 Netartmedia | 1 News Lister | 2026-05-16 | 6.4 Medium |
| NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users. | ||||
| CVE-2020-37242 | 2 Supsystic, Wordpress | 2 Ultimate Maps, Wordpress | 2026-05-16 | 8.2 High |
| Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information. | ||||
| CVE-2026-39054 | 2026-05-16 | 7.3 High | ||
| Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution. | ||||
| CVE-2021-47978 | 1 Processmaker | 1 Processmaker | 2026-05-16 | 6.2 Medium |
| ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication. | ||||
| CVE-2021-47977 | 2026-05-16 | 7.5 High | ||
| WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicator_download action via admin-ajax.php with path traversal sequences to access sensitive system files outside the intended directory. | ||||
| CVE-2021-47942 | 2026-05-16 | 7.5 High | ||
| Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances. | ||||
| CVE-2020-37241 | 1 Bloofox | 1 Bloofoxcms | 2026-05-16 | 5.3 Medium |
| bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent. | ||||
| CVE-2021-47981 | 1 Opensolution | 2 Quick.cms, Quick.cms.ext | 2026-05-16 | 5.4 Medium |
| Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted. | ||||
| CVE-2021-47980 | 1 Thedaylightstudio | 1 Fuel Cms | 2026-05-16 | 7.1 High |
| Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays. | ||||
| CVE-2021-47979 | 2026-05-16 | 8.8 High | ||
| WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory. | ||||
| CVE-2021-47976 | 1 Textpattern | 1 Textpattern | 2026-05-16 | 8.8 High |
| TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution. | ||||
| CVE-2021-47973 | 2026-05-16 | 7.5 High | ||
| Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | ||||
| CVE-2021-47972 | 2026-05-16 | 7.5 High | ||
| Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can paste large payloads of repeated characters into note fields to trigger application crashes and make the application stop responding. | ||||
| CVE-2021-47971 | 2026-05-16 | 7.5 High | ||
| My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash. | ||||