Export limit exceeded: 351445 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351445 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37228 | 1 Yerootech | 1 Ids6 Dsspro Digital Signage System | 2026-05-17 | 9.8 Critical |
| iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks against user accounts. | ||||
| CVE-2020-37231 | 1 Cybertronsoft | 1 Privacy Drive | 2026-05-17 | 7.8 High |
| Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Attackers can place malicious executables in the unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot. | ||||
| CVE-2020-37239 | 1 Gegl | 2 Gegl, Libbabl | 2026-05-17 | 9.8 Critical |
| libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution. | ||||
| CVE-2020-37243 | 3 Supsystic, Wordpress, Wpdarko | 3 Price Table, Wordpress, Responsive Pricing Table | 2026-05-17 | 8.2 High |
| Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables. | ||||
| CVE-2020-37244 | 2 Supsystic, Wordpress | 2 Membership, Wordpress | 2026-05-17 | 8.2 High |
| Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques. | ||||
| CVE-2020-37245 | 2 Supsystic, Wordpress | 2 Digital Publications By Supsystic, Wordpress | 2026-05-17 | 7.5 High |
| Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited. | ||||
| CVE-2020-37246 | 2 Supsystic, Wordpress | 2 Backup, Wordpress | 2026-05-17 | 6.2 Medium |
| Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter. | ||||
| CVE-2021-47952 | 1 Jsonpickle Project | 1 Jsonpickle | 2026-05-17 | 9.8 Critical |
| python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code. | ||||
| CVE-2021-47957 | 2 Cookielawinfo, Wordpress | 2 Cookie Law Bar, Wordpress | 2026-05-17 | 6.4 Medium |
| Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Attackers can inject script payloads through the plugin settings page that execute in the browsers of all WordPress users viewing the site, enabling cookie theft and sensitive data exfiltration. | ||||
| CVE-2021-47969 | 1 Color-notes | 1 Color Notes | 2026-05-17 | 7.5 High |
| Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350,000 repeated characters and paste it twice into a new note to cause the application to stop responding. | ||||
| CVE-2021-47970 | 1 Macaron-notes-great-notebook | 1 Macaron Notes Gear Notebook | 2026-05-17 | 7.5 High |
| Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger application crash and stop functionality. | ||||
| CVE-2021-47971 | 1 My-notes-safe | 1 My Notes Safe | 2026-05-17 | 7.5 High |
| My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash. | ||||
| CVE-2021-47972 | 1 Sticky-notes-color-widgets | 1 Sticky Notes Color Widgets | 2026-05-17 | 7.5 High |
| Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can paste large payloads of repeated characters into note fields to trigger application crashes and make the application stop responding. | ||||
| CVE-2021-47980 | 2 Getfuelcms, Thedaylightstudio | 2 Fuel Cms, Fuel Cms | 2026-05-17 | 7.1 High |
| Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays. | ||||
| CVE-2021-47942 | 1 Home-assistant | 1 Home Assistant Community Store | 2026-05-17 | 7.5 High |
| Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances. | ||||
| CVE-2021-47977 | 2 Gotmls, Wordpress | 2 Malware Security And Bruteforce Firewall, Wordpress | 2026-05-17 | 7.5 High |
| WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicator_download action via admin-ajax.php with path traversal sequences to access sensitive system files outside the intended directory. | ||||
| CVE-2026-8719 | 2 Tigroumeow, Wordpress | 2 Ai Engine – The Chatbot And Ai Framework For Wordpress, Wordpress | 2026-05-17 | 8.8 High |
| The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator. | ||||
| CVE-2018-25320 | 1 Acl | 1 Acl Analytics | 2026-05-17 | 9.8 Critical |
| ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers can use bitsadmin to download malicious PowerShell scripts and execute them with system privileges to establish reverse shells and gain complete system control. | ||||
| CVE-2018-25321 | 1 Tp-link | 1 Tl-wr720nmbps Wireless N Router | 2026-05-17 | 4.3 Medium |
| TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi security settings via WlanSecurityRpm.htm by tricking authenticated users into visiting attacker-controlled pages. | ||||
| CVE-2018-25323 | 1 Alloksoft | 2 Allok Avi Divx Mpeg To Dvd Converter, Wmv To Avi Mpeg Dvd Wmv Convertor | 2026-05-17 | 8.4 High |
| Allok AVI DivX MPEG to DVD Converter 2.6.1217 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Attackers can craft a text file with a specially crafted buffer containing shellcode and SEH chain overwrite values, then paste the contents into the License Name field to trigger code execution. | ||||