Export limit exceeded: 363308 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363308 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57360 | 2 Implecode, Wordpress | 2 Ecommerce Product Catalog, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions. | ||||
| CVE-2026-34105 | 2026-07-02 | 9.8 Critical | ||
| Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents. | ||||
| CVE-2026-34099 | 2026-07-02 | 9.8 Critical | ||
| Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (line 16): SELECT * FROM jobs where id = '\".$_GET['id'].\"'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current user, schema names, and table contents. | ||||
| CVE-2026-58399 | 2026-07-02 | N/A | ||
| @acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. A fix has been implemented in v2.3.0. | ||||
| CVE-2026-57348 | 2 Cozmoslabs, Wordpress | 2 Paid Member Subscriptions, Wordpress | 2026-07-02 | 7.2 High |
| Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions. | ||||
| CVE-2026-49779 | 2026-07-02 | 6.5 Medium | ||
| Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions. | ||||
| CVE-2026-56379 | 1 Imagemagick | 1 Imagemagick | 2026-07-02 | 8.1 High |
| ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering. | ||||
| CVE-2026-56371 | 1 Imagemagick | 1 Imagemagick | 2026-07-02 | 5.3 Medium |
| ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed. | ||||
| CVE-2026-58451 | 1 Horde | 1 Imp | 2026-07-02 | 6.5 Medium |
| Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session. | ||||
| CVE-2026-27419 | 2 Wordpress, Zozothemes | 2 Wordpress, Zegen | 2026-07-02 | 9.9 Critical |
| Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions. | ||||
| CVE-2026-57764 | 2026-07-02 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. | ||||
| CVE-2026-57686 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. | ||||
| CVE-2026-57757 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. | ||||
| CVE-2026-57751 | 2026-07-02 | 8.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | ||||
| CVE-2026-4767 | 2026-07-02 | 9.8 Critical | ||
| Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. | ||||
| CVE-2026-57680 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-02 | 6.5 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions. | ||||
| CVE-2026-58172 | 1 Threemammals | 1 Ocelot | 2026-07-02 | 9.1 Critical |
| Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list. | ||||
| CVE-2026-57948 | 3 Pinpoint, Pinpoint-apm, Wordpress | 3 Pinpoint Booking System, Pinpoint, Wordpress | 2026-07-02 | 6.8 Medium |
| Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking. | ||||
| CVE-2026-58652 | 2026-07-02 | 7.5 High | ||
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||
| CVE-2026-58653 | 1 Praison | 1 Praisonai | 2026-07-02 | 4.3 Medium |
| PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints. | ||||