Export limit exceeded: 351494 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351494 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-44795 | 1 Krontech | 1 Single Connect | 2026-05-18 | 5.3 Medium |
| Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating. | ||||
| CVE-2021-44792 | 1 Krontech | 1 Single Connect | 2026-05-18 | 5.3 Medium |
| Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | ||||
| CVE-2021-44197 | 1 Ubit | 1 Student Information Management System | 2026-05-18 | 6.1 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Information Management System: before 20211126. | ||||
| CVE-2021-44196 | 1 Ubit | 1 Student Information Management System | 2026-05-18 | 6.1 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Information Management System: before 20211126. | ||||
| CVE-2021-3855 | 1 Liman | 1 Port Mys | 2026-05-18 | 8.8 High |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Command Injection. This issue affects Liman Central Management System: from 1.7.0 before 1.8.3-462. | ||||
| CVE-2021-3854 | 1 Glox | 1 Useroam Hotspot | 2026-05-18 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15. | ||||
| CVE-2026-8803 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-05-18 | 3.7 Low |
| A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function." | ||||
| CVE-2026-4320 | 2026-05-18 | N/A | ||
| Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials. | ||||
| CVE-2018-25319 | 1 Wende60 | 1 Redaxo Cms Addon Myevents | 2026-05-18 | 7.1 High |
| Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Attackers can send GET requests to the event_add.php page with malicious myevents_id values to extract or modify sensitive database information. | ||||
| CVE-2024-48519 | 1 Ardupilot | 1 Ardupilot | 2026-05-18 | 6.2 Medium |
| Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp, ArduRover, ADIS1647x Sensor component. | ||||
| CVE-2018-25325 | 1 Woocommerce-csvimport | 1 Woocommerce Csv-importer | 2026-05-18 | 7.5 High |
| Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename parameter to delete sensitive files like wp-config.php outside the intended export directory. | ||||
| CVE-2018-25331 | 1 Zenar | 1 Zenar Content Management System | 2026-05-18 | 6.1 Medium |
| Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current_page parameter sent to the ajax.php endpoint, which reflects unsanitized user input in the response HTML to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2018-25337 | 1 Joomlaextensions | 1 Joomocshop | 2026-05-18 | 4.3 Medium |
| Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /joomoc2/?route=account/edit and to modify user information or reset passwords without user consent. | ||||
| CVE-2026-8758 | 2 Metasoft, Metasoft | 2 Metacrm, Metacrm | 2026-05-18 | 7.3 High |
| A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8768 | 1 Vercel | 1 Ai | 2026-05-18 | 7.3 High |
| A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6333 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.5 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 | ||||
| CVE-2026-8774 | 1 Edimax | 1 Br-6228nc | 2026-05-18 | 6.3 Medium |
| A vulnerability was detected in Edimax BR-6228NC 1.22. Affected by this issue is the function mp of the file /goform/mp of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8781 | 1 Omec-project | 1 Amf | 2026-05-18 | 4.3 Medium |
| A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues. | ||||
| CVE-2026-8788 | 1 Rrwo | 1 Net::statsd::lite | 2026-05-18 | N/A |
| Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. | ||||
| CVE-2026-8093 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-18 | 8.1 High |
| Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. | ||||