Export limit exceeded: 358285 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358285 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9261 | 2026-06-15 | 6.8 Medium | ||
| Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||||
| CVE-2026-9260 | 2026-06-15 | 6.2 Medium | ||
| Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||||
| CVE-2026-9259 | 2026-06-15 | 6.5 Medium | ||
| Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||||
| CVE-2026-9258 | 2026-06-15 | 6.5 Medium | ||
| Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||||
| CVE-2026-46447 | 1 Openstack | 1 Ironic | 2026-06-15 | 5.8 Medium |
| OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | ||||
| CVE-2026-45437 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | ||||
| CVE-2026-42655 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions. | ||||
| CVE-2026-42411 | 2026-06-15 | 8.1 High | ||
| Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions. | ||||
| CVE-2026-40799 | 2026-06-15 | 5.8 Medium | ||
| Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions. | ||||
| CVE-2026-40792 | 2026-06-15 | 6.3 Medium | ||
| Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions. | ||||
| CVE-2026-48723 | 2026-06-15 | 7.8 High | ||
| The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6. | ||||
| CVE-2026-40785 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions. | ||||
| CVE-2026-39527 | 2026-06-15 | 5.4 Medium | ||
| Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions. | ||||
| CVE-2026-39502 | 2026-06-15 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||||
| CVE-2026-53523 | 1 Nezhahq | 1 Nezha | 2026-06-15 | 6.8 Medium |
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-39450 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||||
| CVE-2026-25425 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. | ||||
| CVE-2025-68840 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||||
| CVE-2026-52722 | 1 Redhat | 1 Enterprise Linux | 2026-06-15 | 7.1 High |
| A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. | ||||
| CVE-2026-48114 | 2026-06-15 | 9.8 Critical | ||
| Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0. | ||||