Export limit exceeded: 83464 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (83464 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-45211 | 2 Saad Iqbal, Wordpress | 2 Apiexperts Square For Woocommerce, Wordpress | 2026-05-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.1. | ||||
| CVE-2026-45213 | 2 Realmag777, Wordpress | 2 Bear, Wordpress | 2026-05-13 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through <= 1.1.7.1. | ||||
| CVE-2026-45218 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel | 2026-05-13 | 7.7 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0. | ||||
| CVE-2026-43938 | 1 Yafnet | 1 Yafnet | 2026-05-13 | 8.1 High |
| YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12. | ||||
| CVE-2026-43937 | 1 Yafnet | 1 Yafnet | 2026-05-13 | 8.8 High |
| YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5. | ||||
| CVE-2026-43990 | 1 Dragonmonk111 | 1 Junoclaw | 2026-05-13 | 8.4 High |
| JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1. | ||||
| CVE-2026-23819 | 1 Hpe | 1 Arubaos | 2026-05-13 | 8.8 High |
| A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings. | ||||
| CVE-2026-23820 | 1 Hpe | 1 Arubaos | 2026-05-13 | 7.2 High |
| A vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | ||||
| CVE-2026-23821 | 1 Hpe | 1 Arubaos | 2026-05-13 | 7.2 High |
| A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Note: Access Points running AOS-8 Instant software are not affected by this vulnerability. | ||||
| CVE-2026-23823 | 1 Hpe | 1 Arubaos | 2026-05-13 | 7.2 High |
| A vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. NOTE: This vulnerability only impacts Access Points running AOS-10.7.x.x and above. AOS-10.4 AP and AOS-8 Instant software branches are not affected by this vulnerability. | ||||
| CVE-2026-7474 | 1 Hashicorp | 2 Nomad, Nomad Enterprise | 2026-05-13 | 8.8 High |
| HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. | ||||
| CVE-2026-26289 | 1 Subnet Solutions | 3 Powersystem Center 2020, Powersystem Center 2024, Powersystem Center 2026 | 2026-05-13 | 8.2 High |
| PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only. | ||||
| CVE-2026-5371 | 2 Chriscct7, Wordpress | 2 Monsterinsights – Google Analytics Dashboard For Wordpress (website Stats Made Easy), Wordpress | 2026-05-13 | 7.1 High |
| The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration. | ||||
| CVE-2026-1250 | 2 Webmuehle, Wordpress | 2 Court Reservation – Manage Your Court Bookings Online, Wordpress | 2026-05-13 | 7.5 High |
| The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-7635 | 2 Gdragon, Wordpress | 2 Coreactivity: Activity Logging For Wordpress, Wordpress | 2026-05-13 | 8.1 High |
| The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely. | ||||
| CVE-2026-6929 | 2 Beardev, Wordpress | 2 Joomsport – For Sports: Team & League, Football, Hockey & More, Wordpress | 2026-05-13 | 7.5 High |
| The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including, 5.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-2465 | 1 E-kalite Software Hardware Engineering Design And Internet Services Industry And Trade Ltd. Co. | 1 Turboard | 2026-05-13 | 8.8 High |
| Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard FOR-S allows Privilege Escalation. This issue affects Turboard FOR-S: from 7.01.2026 before 18.02.2026. | ||||
| CVE-2026-33833 | 1 Microsoft | 1 Azure Machine Learning | 2026-05-13 | 8.2 High |
| Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-42893 | 1 Microsoft | 1 Outlook | 2026-05-13 | 7.4 High |
| Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2026-32204 | 1 Microsoft | 2 Azure Monitor, Azure Monitor Agent | 2026-05-13 | 7.8 High |
| External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||||