Export limit exceeded: 356945 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (356945 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8599 | 2 Mailerpress, Wordpress | 2 Mailerpress – Email Marketing, Newsletter, Email Automation & Woocommerce Emails, Wordpress | 2026-06-09 | 6.4 Medium |
| The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview. | ||||
| CVE-2026-46315 | 1 Linux | 1 Linux Kernel | 2026-06-09 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info. | ||||
| CVE-2026-11053 | 1 Chromium | 1 Browser | 2026-06-09 | 6.5 Medium |
| A vulnerability flaw was found in the WebRTC component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=498841456 | ||||
| CVE-2026-11099 | 1 Chromium | 1 Chromium | 2026-06-09 | 6.5 Medium |
| A vulnerability flaw was found in the Skia component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=500414865 | ||||
| CVE-2026-36789 | 1 Tenda | 1 Ac1206 | 2026-06-09 | 7.5 High |
| Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | ||||
| CVE-2026-36786 | 1 Tenda | 1 Fh451 | 2026-06-09 | 7.5 High |
| Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the list1 parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | ||||
| CVE-2021-47983 | 2 Mra13, Wordpress | 2 Accept Stripe Payments, Wordpress | 2026-06-09 | 6.4 Medium |
| WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed. | ||||
| CVE-2021-47984 | 2 Wordpress, Wp24 | 2 Wordpress, Wp24 Domain Check | 2026-06-09 | 6.4 Medium |
| WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page. | ||||
| CVE-2022-50953 | 2 Brooks24, Wordpress | 2 Admin-word-count-column, Wordpress | 2026-06-09 | 6.2 Medium |
| WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration. | ||||
| CVE-2023-54351 | 2 Sonaar, Wordpress | 2 Sonaar Music Plugin, Wordpress | 2026-06-09 | 7.2 High |
| WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages. | ||||
| CVE-2023-54352 | 2 Wordpress, Wp Travel Kit | 2 Wordpress, Travelscape | 2026-06-09 | 9.8 Critical |
| WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access. | ||||
| CVE-2024-58348 | 2 Background-image-cropper, Wordpress | 2 Background Image Cropper, Wordpress | 2026-06-09 | 9.8 Critical |
| WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server. | ||||
| CVE-2024-58349 | 2 Wordpress, Wp Travel Kit | 2 Wordpress, Travelscape | 2026-06-09 | 9.8 Critical |
| WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation. | ||||
| CVE-2026-11491 | 2 Codeastro, Sourcecodester | 2 Human Resource Management System, Human Resource Management System | 2026-06-09 | 2.4 Low |
| A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-5119 | 2 Gnome, Redhat | 9 Libsoup, Enterprise Linux, Enterprise Linux Eus and 6 more | 2026-06-09 | 5.9 Medium |
| A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. | ||||
| CVE-2026-41722 | 1 Vmware | 3 Aria Operations, Telco Cloud Platform, Vcf Operations | 2026-06-09 | 8 High |
| VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | ||||
| CVE-2026-41723 | 1 Vmware | 3 Aria Operations, Telco Cloud Platform, Vcf Operations | 2026-06-09 | 8 High |
| VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | ||||
| CVE-2026-41724 | 1 Vmware | 3 Aria Operations, Telco Cloud Platform, Vcf Operations | 2026-06-09 | 8 High |
| VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | ||||
| CVE-2026-3238 | 2 Redhat, Samba | 4 Enterprise Linux, Openshift, Openshift Container Platform and 1 more | 2026-06-09 | 7.5 High |
| A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets. | ||||
| CVE-2026-50752 | 1 Checkpoint | 2 Quantum Security Gateway, Spark Firewalls | 2026-06-09 | 7.4 High |
| A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN site-to-site connections that use certificate-based authentication. Successful exploitation could allow interception or modification of traffic traversing the VPN tunnel. | ||||