Export limit exceeded: 358698 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358698 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47173 | 1 Duck-organization | 1 Quest-bot | 2026-06-12 | N/A |
| Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3. | ||||
| CVE-2026-47176 | 1 Duck-organization | 1 Quest-bot | 2026-06-12 | N/A |
| Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4. | ||||
| CVE-2026-47177 | 1 Duck-organization | 1 Quest-bot | 2026-06-12 | N/A |
| Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4. | ||||
| CVE-2026-47189 | 1 Duck-organization | 1 Quest-bot | 2026-06-12 | N/A |
| Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5. | ||||
| CVE-2026-45177 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Conjur Cloud, Conjur Cloud Edge Finding Only | 2026-06-12 | N/A |
| Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20 | ||||
| CVE-2026-47174 | 1 Duck-organization | 1 Duck-site | 2026-06-12 | N/A |
| In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1. | ||||
| CVE-2026-45176 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privilege Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45175 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privilege Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to circumvent agent self-defense mechanisms and execute unauthorized operations. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45802 | 1 Setasign | 1 Fpdi | 2026-06-12 | N/A |
| FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7. | ||||
| CVE-2026-50245 | 1 Brickcom | 4 Box, Bullet, Cube and 1 more | 2026-06-12 | 7.7 High |
| Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera feed. | ||||
| CVE-2026-50005 | 1 Brickcom | 4 Box, Bullet, Cube and 1 more | 2026-06-12 | 7.7 High |
| Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds. | ||||
| CVE-2026-39494 | 2 Wbw Plugins, Wordpress | 2 Product Filter By Wbw, Wordpress | 2026-06-12 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2. | ||||
| CVE-2026-42653 | 2 Iova.mihai, Wordpress | 2 Slicewp, Wordpress | 2026-06-12 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6. | ||||
| CVE-2026-45174 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Endpoint Privileged Manager, Idira Endpoint Privilege Manager | 2026-06-12 | N/A |
| Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19 | ||||
| CVE-2026-45173 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Identity Browser Extensions, Identity Browser Extensions | 2026-06-12 | N/A |
| Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21 | ||||
| CVE-2026-45172 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Privileged Session Manager, Pam Self-hosted Privilege Cloud | 2026-06-12 | N/A |
| Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18 | ||||
| CVE-2026-45171 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Privileged Session Manager, Privileged Session Manager Vault | 2026-06-12 | N/A |
| Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18 | ||||
| CVE-2026-45170 | 2 Cyberark, Cyberark Software A Palo Alto Networks Company | 2 Pam Sh Connector, Pam Sh Connector | 2026-06-12 | N/A |
| Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26-17 | ||||
| CVE-2026-47365 | 2 Webpros, Wordpress | 2 Wordpress-toolkit, Wordpress | 2026-06-12 | 9.9 Critical |
| Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account. | ||||
| CVE-2026-47367 | 1 Ubiquiti | 1 Uid Enterprise Agent | 2026-06-12 | 9.9 Critical |
| A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device. | ||||