Search Results (47011 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-5667 2026-06-17 N/A
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.
CVE-2025-69151 2 Themegoods, Wordpress 2 Grand Car Rental, Wordpress 2026-06-17 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions.
CVE-2026-9570 2 Taskbuilder, Wordpress 2 Taskbuilder, Wordpress 2026-06-17 7.1 High
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
CVE-2026-48869 2 Kriesi, Wordpress 2 Enfold, Wordpress 2026-06-17 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
CVE-2025-48700 2 Synacor, Zimbra 2 Zimbra Collaboration Suite, Zimbra 2026-06-17 6.1 Medium
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
CVE-2026-53441 2 Jenkins, Jenkins Project 2 Jenkins, Jenkins 2026-06-17 5.4 Medium
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CVE-2026-11414 1 Altium 2 Enterprise Server, On-prem Enterprise Server 2026-06-16 9.8 Critical
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.
CVE-2026-22997 1 Linux 1 Linux Kernel 2026-06-16 7.5 High
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem.
CVE-2026-39449 2 Itpathsolutions, Wordpress 2 Contact Form To Any Api, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
CVE-2026-39435 2 Bgermann, Wordpress 2 Cformsii, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
CVE-2026-39463 2 Managewp, Wordpress 2 Managewp Worker, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
CVE-2026-40770 2 Relywp, Wordpress 2 Coupon Affiliates, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
CVE-2026-42663 2 Wordpress, Wp.insider 2 Wordpress, Simple Membership 2026-06-16 6.5 Medium
Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.
CVE-2026-48867 2 Expresstech, Wordpress 2 Quiz And Survey Master, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.
CVE-2026-54198 2 Davidlingren, Wordpress 2 Media Library Assistant, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.
CVE-2026-48880 2 Ahmad, Wordpress 2 Wp Job Portal, Wordpress 2026-06-16 6.5 Medium
Subscriber Cross Site Scripting (XSS) in WP Job Portal <= 2.5.2 versions.
CVE-2026-39451 2 Jgwhite33, Wordpress 2 Wp Google Review Slider, Wordpress 2026-06-16 6.3 Medium
Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.
CVE-2026-39491 2 Artbees, Wordpress 2 Jupiter X Core, Wordpress 2026-06-16 6.5 Medium
Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.
CVE-2026-48870 2 Kingaddons, Wordpress 2 King Addons For Elementor, Wordpress 2026-06-16 6.5 Medium
Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions.
CVE-2026-53473 1 Kubev2v 2 Migration-planner-ui-app, Migration Planner Ui 2026-06-16 7.3 High
A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.