Export limit exceeded: 351329 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351329 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-47970 | 2026-05-16 | 7.5 High | ||
| Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger application crash and stop functionality. | ||||
| CVE-2021-47969 | 2026-05-16 | 7.5 High | ||
| Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350,000 repeated characters and paste it twice into a new note to cause the application to stop responding. | ||||
| CVE-2021-47957 | 2026-05-16 | 6.4 Medium | ||
| Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Attackers can inject script payloads through the plugin settings page that execute in the browsers of all WordPress users viewing the site, enabling cookie theft and sensitive data exfiltration. | ||||
| CVE-2021-47956 | 2026-05-16 | 8.2 High | ||
| EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information. | ||||
| CVE-2021-47955 | 1 Couchcms | 1 Couchcms | 2026-05-16 | 5.4 Medium |
| CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which are then executed in users' browsers when the files are accessed or previewed. | ||||
| CVE-2021-47954 | 1 Layerbb | 1 Layerbb | 2026-05-16 | 8.2 High |
| LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send POST requests to /search.php with malicious search_query values using CASE WHEN statements to extract sensitive database information. | ||||
| CVE-2021-47952 | 2026-05-16 | 9.8 Critical | ||
| python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code. | ||||
| CVE-2021-47934 | 1 Mybb | 1 Mybb | 2026-05-16 | 5.3 Medium |
| MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles. | ||||
| CVE-2020-37246 | 2026-05-16 | 6.2 Medium | ||
| Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter. | ||||
| CVE-2020-37245 | 1 Supsystic | 1 Digital Publications By Supsystic | 2026-05-16 | 7.5 High |
| Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited. | ||||
| CVE-2020-37244 | 2026-05-16 | 8.2 High | ||
| Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques. | ||||
| CVE-2020-37243 | 1 Wpdarko | 1 Responsive Pricing Table | 2026-05-16 | 8.2 High |
| Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables. | ||||
| CVE-2020-37240 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-05-16 | 6.4 Medium |
| Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which execute when viewing the User List page. | ||||
| CVE-2020-37239 | 1 Gegl | 1 Gegl | 2026-05-16 | 9.8 Critical |
| libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution. | ||||
| CVE-2020-37238 | 1 Cmsmadesimple | 1 Cms Made Simple | 2026-05-16 | 6.4 Medium |
| CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking. | ||||
| CVE-2020-37237 | 1 Compo | 1 Composr Cms | 2026-05-16 | 6.4 Medium |
| Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner functionality, which execute for all website visitors when they access the home page. | ||||
| CVE-2020-37235 | 2026-05-16 | 6.4 Medium | ||
| WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page. | ||||
| CVE-2020-37234 | 1 Tonec | 1 Internet Download Manager | 2026-05-16 | 6.2 Medium |
| Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to trigger a denial of service condition. | ||||
| CVE-2020-37233 | 1 Boonebgorges | 1 Buddypress Docs | 2026-05-16 | 6.4 Medium |
| WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks. | ||||
| CVE-2020-37232 | 1 Iobit | 1 Advanced System Care | 2026-05-16 | 7.8 High |
| Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Attackers can place malicious executables in the system root path that will be executed with LocalSystem privileges during service startup or system reboot. | ||||