Export limit exceeded: 363086 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363086 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-51946 | 2026-07-02 | 6.5 Medium | ||
| SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the the __sort_type URL parameter on all /admin/info/{table} endpoints | ||||
| CVE-2026-12122 | 2 Themeum, Wordpress | 2 Kirki – Freeform Page Builder, Website Builder & Customizer, Wordpress | 2026-07-02 | 5.3 Medium |
| The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID. | ||||
| CVE-2026-27419 | 2 Wordpress, Zozothemes | 2 Wordpress, Zegen | 2026-07-02 | 9.9 Critical |
| Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions. | ||||
| CVE-2026-57764 | 2026-07-02 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. | ||||
| CVE-2026-57686 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. | ||||
| CVE-2026-57757 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. | ||||
| CVE-2026-13937 | 1 Google | 1 Chrome | 2026-07-02 | 6.5 Medium |
| Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-57751 | 2026-07-02 | 8.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | ||||
| CVE-2026-4767 | 2026-07-02 | 9.8 Critical | ||
| Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. | ||||
| CVE-2026-57680 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-02 | 6.5 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions. | ||||
| CVE-2026-20458 | 1 Mediatek, Inc. | 1 Mediatek Chipset | 2026-07-02 | 7.5 High |
| In Modem, there is a possible memory corruption due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01402160; Issue ID: MSV-7298. | ||||
| CVE-2026-20459 | 1 Mediatek, Inc. | 1 Mediatek Chipset | 2026-07-02 | 5.3 Medium |
| In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01816800; Issue ID: MSV-6842. | ||||
| CVE-2026-57678 | 2 Themepunch, Wordpress | 2 Slider Revolution, Wordpress | 2026-07-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16. | ||||
| CVE-2026-58172 | 1 Threemammals | 1 Ocelot | 2026-07-02 | 9.1 Critical |
| Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list. | ||||
| CVE-2026-57948 | 3 Pinpoint, Pinpoint-apm, Wordpress | 3 Pinpoint Booking System, Pinpoint, Wordpress | 2026-07-02 | 6.8 Medium |
| Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking. | ||||
| CVE-2026-24247 | 1 Nvidia | 1 Megatron-bridge | 2026-07-02 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24270 | 2026-07-02 | 9.8 Critical | ||
| NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2026-58652 | 2026-07-02 | 7.5 High | ||
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||
| CVE-2026-58653 | 1 Praison | 1 Praisonai | 2026-07-02 | 4.3 Medium |
| PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints. | ||||
| CVE-2026-4772 | 2026-07-02 | 5.4 Medium | ||
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. | ||||