Export limit exceeded: 363086 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 85441 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (85441 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56771 | 1 Samuelclay | 1 Newsblur | 2026-06-26 | 8.5 High |
| NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration. | ||||
| CVE-2026-11527 | 1 Shlomi Fish | 1 Config-inifiles | 2026-06-26 | 8.6 High |
| Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID. | ||||
| CVE-2026-12197 | 1 Ruijie | 2 Eg105g-p, Rg-eg105g-p | 2026-06-26 | 7.2 High |
| A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-36670 | 1 Opensips | 1 Opensips | 2026-06-26 | 8.8 High |
| A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php. | ||||
| CVE-2026-49111 | 2 Themegrill, Wordpress | 2 Masteriyo, Wordpress | 2026-06-26 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0. | ||||
| CVE-2023-4727 | 1 Redhat | 6 Certificate System Eus, Enterprise Linux, Rhel Aus and 3 more | 2026-06-26 | 7.5 High |
| A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege. | ||||
| CVE-2026-24637 | 2 Blubrry, Wordpress | 2 Powerpress Podcasting, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions. | ||||
| CVE-2026-27407 | 2 Meowapps, Wordpress | 2 Ai Engine, Wordpress | 2026-06-26 | 7.2 High |
| Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | ||||
| CVE-2026-39450 | 2 Funnelkit, Wordpress | 2 Funnelkit Automations, Wordpress | 2026-06-26 | 7.1 High |
| Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||||
| CVE-2026-39518 | 2 Theeventprime, Wordpress | 2 Eventprime, Wordpress | 2026-06-26 | 7.1 High |
| Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions. | ||||
| CVE-2026-39524 | 2 Themegrill, Wordpress | 2 Masteriyo, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions. | ||||
| CVE-2026-39532 | 2 Stiofansisland, Wordpress | 2 Events Calendar For Geodirectory, Wordpress | 2026-06-26 | 8.8 High |
| Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions. | ||||
| CVE-2026-39534 | 2 Wordpress, Wpdirectorykit | 2 Wordpress, Wp Directory Kit | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions. | ||||
| CVE-2026-40779 | 2 Wordpress, Ylefebvre | 2 Wordpress, Link Library | 2026-06-26 | 7.7 High |
| Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. | ||||
| CVE-2026-42668 | 2 Omnisend, Wordpress | 2 Email Marketing For Woocommerce, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions. | ||||
| CVE-2026-42686 | 2 Theeventprime, Wordpress | 2 Eventprime, Wordpress | 2026-06-26 | 7.1 High |
| Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions. | ||||
| CVE-2026-42687 | 2 Theeventprime, Wordpress | 2 Eventprime, Wordpress | 2026-06-26 | 8.1 High |
| Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions. | ||||
| CVE-2026-45437 | 2 Brthumar1959, Wordpress | 2 Product Filter Widget For Elementor, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | ||||
| CVE-2026-45441 | 2 Magepeopleteam, Wordpress | 2 Wpevently, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions. | ||||
| CVE-2026-49078 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2026-06-26 | 7.5 High |
| Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions. | ||||