Export limit exceeded: 361738 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361738 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361738 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361738 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56061 | 2 Wordpress, Wp Swings | 2 Wordpress, Subscriptions For Woocommerce | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions. | ||||
| CVE-2026-57332 | 2026-06-29 | 7.1 High | ||
| Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions. | ||||
| CVE-2026-53550 | 1 Nodeca | 1 Js-yaml | 2026-06-29 | 5.3 Medium |
| js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. | ||||
| CVE-2026-57326 | 2026-06-29 | 6.5 Medium | ||
| Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions. | ||||
| CVE-2026-13571 | 1 Sourcecodester | 1 Simple Food Ordering System | 2026-06-29 | 5.3 Medium |
| A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lead to business logic errors. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-57314 | 2 Surecart, Wordpress | 2 Surecart, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions. | ||||
| CVE-2026-57321 | 2026-06-29 | 7.1 High | ||
| Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions. | ||||
| CVE-2025-29635 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2026-06-29 | 7.2 High |
| A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution. | ||||
| CVE-2026-35273 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2026-06-29 | 9.8 Critical |
| Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2026-13545 | 1 D-link | 1 Dcs-935l | 2026-06-29 | 8.8 High |
| A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-11597 | 2026-06-29 | 6.4 Medium | ||
| The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-58052 | 1 7-zip | 1 7-zip | 2026-06-29 | 3.3 Low |
| 7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content. | ||||
| CVE-2026-58058 | 1 Nmap | 1 Nmap | 2026-06-29 | 6.5 Medium |
| Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans. | ||||
| CVE-2026-13487 | 1 Sourcecodester | 1 Class And Exam Timetabling System | 2026-06-29 | 7.3 High |
| A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive.php. The manipulation of the argument sy leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-13495 | 1 Itsourcecode | 1 Hospital Management System | 2026-06-29 | 4.7 Medium |
| A vulnerability has been found in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminprofile.php. The manipulation of the argument loginid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-13501 | 1 Antlr | 1 Antlr4 | 2026-06-29 | 5.3 Medium |
| A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-13509 | 1 Ragapp | 1 Ragapp | 2026-06-29 | 6.3 Medium |
| A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-13515 | 1 Tenda | 1 Jd12l | 2026-06-29 | 8.8 High |
| A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-57629 | 2 Statcounter, Wordpress | 2 Statcounter, Wordpress | 2026-06-29 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions. | ||||
| CVE-2026-12856 | 1 Redhat | 1 Openshift Devspaces | 2026-06-29 | 8.8 High |
| A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces. | ||||