Export limit exceeded: 350927 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350927 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44368 | 1 Svvqt | 1 Pyquorum | 2026-05-14 | N/A |
| PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recover the values of shares, ultimately leading to secret reconstruction. This vulnerability is fixed in 0.2.1. | ||||
| CVE-2026-44373 | 1 Nitrojs | 2 Nitro, Nitropack | 2026-05-14 | 5.3 Medium |
| Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3.0.260429-beta. | ||||
| CVE-2026-44377 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 9.1 Critical |
| CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0. | ||||
| CVE-2026-39358 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 7.2 High |
| CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0. | ||||
| CVE-2026-39428 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 4.8 Medium |
| CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0. | ||||
| CVE-2026-44376 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 6.1 Medium |
| CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0. | ||||
| CVE-2026-45053 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 9.1 Critical |
| CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write — including the document root — yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0. | ||||
| CVE-2026-45054 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 4.9 Medium |
| CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0. | ||||
| CVE-2026-45055 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 8.1 High |
| CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery&validate=<TOKEN>. The token is valid against the legitimate store — capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2. | ||||
| CVE-2026-45708 | 1 Cubecart | 1 Cubecart | 2026-05-14 | 7.2 High |
| CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an explicit <Files print.*.php> allow from all </Files> carve-out, so the file is fetched and executed by any unauthenticated visitor. This vulnerability is fixed in 6.7.3. | ||||
| CVE-2026-44425 | 1 Shellhub-io | 1 Shellhub | 2026-05-14 | 5.4 Medium |
| ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2. | ||||
| CVE-2026-44424 | 1 Shellhub-io | 1 Shellhub | 2026-05-14 | 6.5 Medium |
| ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2. | ||||
| CVE-2026-44423 | 1 Shellhub-io | 1 Shellhub | 2026-05-14 | 6.5 Medium |
| ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2. | ||||
| CVE-2026-44439 | 1 Lookyloo | 1 Playwrightcapture | 2026-05-14 | N/A |
| PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses. In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs. This vulnerability is fixed in 1.39.6. | ||||
| CVE-2026-44471 | 1 Gitoxidelabs | 1 Gitoxide | 2026-05-14 | 7.8 High |
| gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack. gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs invokes only delegate.push_directory(), never delegate.push(). In gix_worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push_directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink_metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories. Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. This vulnerability is fixed in 0.21.1. | ||||
| CVE-2026-32991 | 2 Webpros, Wordpress | 4 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared and 1 more | 2026-05-14 | 7.1 High |
| Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account. | ||||
| CVE-2026-29206 | 1 Webpros | 3 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared | 2026-05-14 | 8.1 High |
| Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled. | ||||
| CVE-2026-41281 | 1 Kddi Corporation | 1 あんしんフィルター For Au | 2026-05-14 | N/A |
| Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in information disclosure or data tampering. | ||||
| CVE-2026-43652 | 1 Apple | 1 Macos | 2026-05-14 | 7.5 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data. | ||||
| CVE-2026-46419 | 1 Yubico | 1 Webauthn-server-core | 2026-05-14 | 7.5 High |
| Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation. | ||||