Export limit exceeded: 355093 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355093 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10241 | 1 Jeecgboot | 2 Jeecgboot, The Server Processes These Urls | 2026-06-02 | 6.3 Medium |
| A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component. | ||||
| CVE-2026-25599 | 1 Orca Energy | 2 Orca Heat Pump, Orca User Portal | 2026-06-02 | 6.3 Medium |
| Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal. | ||||
| CVE-2026-25600 | 1 Trac | 1 Pdbm | 2026-06-02 | 6.4 Medium |
| The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM’s management interface and its underlying operational functions. | ||||
| CVE-2026-49328 | 1 Apache | 2 Fesod, Fesod (incubating) | 2026-06-02 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue. | ||||
| CVE-2026-48559 | 1 Epoupon | 1 Lms | 2026-06-02 | 5.4 Medium |
| Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp. | ||||
| CVE-2024-40646 | 1 Vertex-app | 1 Vertex | 2026-06-02 | 8.6 High |
| Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11 are vulnerable to path traversal. Users should upgrade to a version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 to receive a patch. | ||||
| CVE-2026-42251 | 1 Kamsoft | 1 Ks-somed | 2026-06-02 | N/A |
| Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026 Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only. | ||||
| CVE-2026-8931 | 1 Disig | 1 Web Signer | 2026-06-02 | N/A |
| A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3. | ||||
| CVE-2026-48879 | 2 Sergey, Wordpress | 2 Aiwu, Wordpress | 2026-06-02 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | ||||
| CVE-2026-42679 | 2 Mamunur Rashid, Wordpress | 2 Classified Listing, Wordpress | 2026-06-02 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal. This issue affects Classified Listing: from n/a through 5.3.8. | ||||
| CVE-2026-42678 | 2 Liquid Web / Stellarwp, Wordpress | 2 Givewp, Wordpress | 2026-06-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS. This issue affects GiveWP: from n/a through 4.14.5. | ||||
| CVE-2026-42677 | 2 Ben Balter, Wordpress | 2 Wp Document Revisions, Wordpress | 2026-06-02 | 7.5 High |
| Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Document Revisions: from n/a before 4.0.0. | ||||
| CVE-2026-42674 | 2 Aam Plugin, Wordpress | 2 Advanced Access Manager, Wordpress | 2026-06-02 | 7.5 High |
| Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0. | ||||
| CVE-2026-10118 | 1 Redhat | 3 Enterprise Linux, Hardened Images, Hummingbird | 2026-06-02 | 7.8 High |
| A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF. | ||||
| CVE-2022-4991 | 1 Tychon | 1 Tychon | 2026-06-02 | 7.4 High |
| Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. | ||||
| CVE-2026-45132 | 1 Cloudpirates-io | 1 Helm-charts | 2026-06-02 | 10 Critical |
| CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302. | ||||
| CVE-2026-45131 | 1 Cloudpirates-io | 1 Helm-charts | 2026-06-02 | 10 Critical |
| CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302. | ||||
| CVE-2026-8501 | 1 Symantec | 1 Pc Tools Internet Security | 2026-06-02 | 7.8 High |
| Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system. | ||||
| CVE-2026-45264 | 1 Nextcloud | 1 Groupfolders | 2026-06-02 | 4.3 Medium |
| Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. | ||||
| CVE-2026-45153 | 1 Nextcloud | 1 Android | 2026-06-02 | 4.6 Medium |
| Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0. | ||||