Export limit exceeded: 361784 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361784 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361784 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-50132 | 1 Budibase | 1 Budibase | 2026-06-29 | 7.3 High |
| Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0. | ||||
| CVE-2026-54351 | 1 Budibase | 1 Budibase | 2026-06-29 | 8.2 High |
| Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9. | ||||
| CVE-2026-53576 | 1 Kestra-io | 1 Kestra | 2026-06-29 | 10 Critical |
| Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresses its resources by URL path segments that the caller chooses (/api/v1/{tenant}/flows/{namespace}, /api/v1/{tenant}/executions/{namespace}/{id}, /api/v1/{tenant}/namespaces/{namespace}/kv/{key}). An anonymous caller picks the literal configs as the final segment, and the request bypasses Basic-Auth entirely. Because the bypass reaches the flow-create and execution-trigger routes, an unauthenticated caller creates a flow containing a Shell or Process task and runs it. The task executes as root inside the kestra container. The official docker-compose.yml mounts /var/run/docker.sock, so root in the container reaches the host Docker daemon. This vulnerability is fixed in 1.0.45 and 1.3.21. | ||||
| CVE-2026-57320 | 2026-06-29 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions. | ||||
| CVE-2026-57331 | 2026-06-29 | 9.9 Critical | ||
| Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions. | ||||
| CVE-2026-57337 | 2026-06-29 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions. | ||||
| CVE-2026-13578 | 1 Itsourcecode | 1 Hospital Management System | 2026-06-29 | 6.3 Medium |
| A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patientdetail.php. Performing a manipulation of the argument editid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-52779 | 1 Opf | 1 Openproject | 2026-06-29 | 5.4 Medium |
| OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1. | ||||
| CVE-2026-57336 | 2026-06-29 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions. | ||||
| CVE-2026-56041 | 2 Dfactory, Wordpress | 2 Responsive Lightbox, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions. | ||||
| CVE-2026-13581 | 1 Edimax | 1 Ew-7478apc | 2026-06-29 | 6.3 Medium |
| A vulnerability was detected in Edimax EW-7478APC 1.04. This vulnerability affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-53303 | 1 Linux | 1 Linux Kernel | 2026-06-29 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() In f2fs_sbi_show(), the extension_list, extension_count and hot_ext_count are read without holding sbi->sb_lock. If a concurrent sysfs store modifies the extension list via f2fs_update_extension_list(), the show path may read inconsistent count and array contents, potentially leading to out-of-bounds access or displaying stale data. Fix this by holding sb_lock around the entire extension list read and format operation. | ||||
| CVE-2026-56124 | 2026-06-29 | 7.5 High | ||
| phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. | ||||
| CVE-2026-57330 | 2026-06-29 | 6.5 Medium | ||
| Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions. | ||||
| CVE-2026-57338 | 2026-06-29 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions. | ||||
| CVE-2026-56061 | 2 Wordpress, Wp Swings | 2 Wordpress, Subscriptions For Woocommerce | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions. | ||||
| CVE-2026-57332 | 2026-06-29 | 7.1 High | ||
| Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions. | ||||
| CVE-2026-53550 | 1 Nodeca | 1 Js-yaml | 2026-06-29 | 5.3 Medium |
| js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. | ||||
| CVE-2026-57326 | 2026-06-29 | 6.5 Medium | ||
| Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions. | ||||
| CVE-2026-13571 | 1 Sourcecodester | 1 Simple Food Ordering System | 2026-06-29 | 5.3 Medium |
| A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lead to business logic errors. The attack may be performed from remote. The exploit has been published and may be used. | ||||