Export limit exceeded: 85562 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (85562 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69130 | 2 Themovation, Wordpress | 2 Entrepreneur - Booking For Small Businesses Wordpress Theme, Wordpress | 2026-06-20 | 8.8 High |
| Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions. | ||||
| CVE-2025-69144 | 2 Themerex, Wordpress | 2 Preservation, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Preservation <= 1.10 versions. | ||||
| CVE-2025-69164 | 2 Themerex, Wordpress | 2 Skyward, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Skyward <= 1.10 versions. | ||||
| CVE-2025-69170 | 2 Themerex, Wordpress | 2 Eventicity, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions. | ||||
| CVE-2025-69175 | 2 Themerex, Wordpress | 2 Line Agency, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions. | ||||
| CVE-2026-39445 | 2 Presslayouts, Wordpress | 2 Alukas, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions. | ||||
| CVE-2026-39559 | 2 Codesupplyco, Wordpress | 2 Uppercase, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. | ||||
| CVE-2026-40738 | 2 Edge-themes, Wordpress | 2 Eldon, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions. | ||||
| CVE-2026-40752 | 2 Select-themes, Wordpress | 2 Manufaktur Solutions, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions. | ||||
| CVE-2025-69128 | 2 Emv, Wordpress | 2 Jobcareer, Wordpress | 2026-06-20 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3. | ||||
| CVE-2025-69189 | 2 Emv, Wordpress | 2 Jobbank, Wordpress | 2026-06-20 | 7.3 High |
| Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3. | ||||
| CVE-2026-54810 | 2 Nexi Payments, Wordpress | 2 Nexi Xpay, Wordpress | 2026-06-20 | 7.5 High |
| Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1. | ||||
| CVE-2025-71322 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 8.8 High |
| PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan. | ||||
| CVE-2026-10696 | 1 Devolutions | 1 Unigetui | 2026-06-20 | 7.5 High |
| Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update. | ||||
| CVE-2026-11407 | 1 Pimcore | 1 Pimcore | 2026-06-20 | 7.2 High |
| Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions. | ||||
| CVE-2026-48979 | 1 Php-standard-library | 2 Php-standard-library, Php-standard-library/h2 | 2026-06-20 | 7.5 High |
| PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1. | ||||
| CVE-2026-50194 | 1 Steeltoeoss | 2 Steeltoe.management.endpoint, Steeltoe.management.endpointcore | 2026-06-20 | 8.2 High |
| Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port. | ||||
| CVE-2026-8050 | 1 Signalrgb | 1 Signalrgb Kernel Driver | 2026-06-20 | 7.5 High |
| In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash. | ||||
| CVE-2026-50196 | 1 Steeltoeoss | 1 Steeltoe.discovery.eureka | 2026-06-20 | 7.5 High |
| Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients. | ||||
| CVE-2026-50200 | 1 Steeltoeoss | 2 Steeltoe.management.endpoint, Steeltoe.management.endpointcore | 2026-06-20 | 7.5 High |
| Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints. | ||||