Export limit exceeded: 367163 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (87073 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-54424 | 1 Unity | 1 Parsec | 2026-07-17 | 8.4 High |
| An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable. | ||||
| CVE-2026-10830 | 2026-07-17 | 8.8 High | ||
| The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site. | ||||
| CVE-2026-11766 | 2 Ultimatemember, Wordpress | 2 Ultimate Member, Wordpress | 2026-07-17 | 8 High |
| The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile. | ||||
| CVE-2026-11855 | 2026-07-17 | 8.8 High | ||
| The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator. | ||||
| CVE-2026-11962 | 2 Fileorganizer, Wordpress | 2 Fileorganizer, Wordpress | 2026-07-17 | 8.8 High |
| The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation. | ||||
| CVE-2026-62386 | 1 Getgrav | 1 Grav | 2026-07-17 | 7.5 High |
| The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages. | ||||
| CVE-2026-62234 | 1 Getgrav | 1 Grav | 2026-07-17 | 8.1 High |
| Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers. | ||||
| CVE-2026-62231 | 1 Getgrav | 1 Grav | 2026-07-17 | 8.1 High |
| The Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created with limited scopes (e.g. read-only) can perform any write, delete, or administrative operation the owning user is authorized for. Fixed in 1.0.6. | ||||
| CVE-2026-62228 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 8.8 High |
| OpenClaw before 2026.6.5 contain an authorization bypass vulnerability in node exec approvals that allows lower-trust callers to execute actions beyond their intended authorization by using different gateway and node environments. Attackers can exploit mismatched environment configurations to persist or execute actions that exceed the caller's approved permissions. | ||||
| CVE-2026-62222 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 7.8 High |
| OpenClaw before 2026.5.22 contain a vulnerability in setup-mode discovery that allows loading of untrusted workspace plugins. Attackers with lower-trust caller access or control over configured input paths can execute or persist actions beyond their intended authorization level. | ||||
| CVE-2026-62219 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 7.1 High |
| OpenClaw 2026.2.12 before 2026.5.26 contain an authorization bypass vulnerability in the hooks allowedAgentIds validation. A lower-trust caller or configured input path can bypass agent ID restrictions by submitting blank agent IDs, allowing actions that should require stronger authorization or policy checks. | ||||
| CVE-2026-62207 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 8.8 High |
| OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authorization by exploiting insufficient policy checks on configured input paths. | ||||
| CVE-2026-62203 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 8.8 High |
| OpenClaw versions before 2026.6.6 contain an environment variable filtering vulnerability in host exec that fails to properly sanitize rustup startup variables. Attackers with lower-trust caller access or configured input paths can execute or persist actions beyond their intended authorization level. | ||||
| CVE-2026-14536 | 1 Devolutions | 1 Server | 2026-07-16 | 7.3 High |
| Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value. | ||||
| CVE-2026-55727 | 1 Genetec | 1 Security Center | 2026-07-16 | 7.5 High |
| A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to access live video streams. | ||||
| CVE-2026-51937 | 1 Zhangyd-c | 1 Oneblog | 2026-07-16 | 7.5 High |
| An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component | ||||
| CVE-2026-24698 | 2026-07-16 | 7.2 High | ||
| An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges. | ||||
| CVE-2026-57239 | 1 Foxitsoftware | 2 Foxit Pdf Editor, Foxit Reader | 2026-07-16 | 8.2 High |
| The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM. | ||||
| CVE-2026-55137 | 1 Microsoft | 14 365 Apps, Excel 2016, Microsoft Office 365 For Mac and 11 more | 2026-07-16 | 7.8 High |
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-50682 | 1 Microsoft | 7 Windows 10 21h2, Windows 10 22h2, Windows 11 24h2 and 4 more | 2026-07-16 | 7.1 High |
| Out-of-bounds read in Windows Active Directory allows an authorized attacker to deny service over a network. | ||||