Export limit exceeded: 367118 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (367118 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10551 | 2026-07-16 | 6.1 Medium | ||
| The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format. | ||||
| CVE-2026-12271 | 2026-07-16 | 5.4 Medium | ||
| The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result. | ||||
| CVE-2026-12379 | 1 Qt | 1 Axivion | 2026-07-16 | N/A |
| An Open Redirect vulnerability (CWE-601) exists in the OAuth/OIDC authentication implementation of the Axivion Dashboard. The login flow did not properly restrict the post-authentication redirect to the application's own origin, so a user who follows a crafted login link can be sent to an untrusted external site after authenticating against the genuine Dashboard. Because the link points at the legitimate Dashboard, this can be abused for phishing, for example credential or second-factor theft via a convincing look-alike page. Exploitation requires the victim to follow the attacker-supplied link and complete the authentication flow. | ||||
| CVE-2026-58614 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-07-16 | 5.5 Medium |
| Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-42900 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-07-16 | 8.1 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Store allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-49165 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-07-16 | 7.1 High |
| Use of uninitialized resource in Microsoft Windows App Store allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-49177 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-07-16 | 5.5 Medium |
| Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-62193 | 1 Openclaw | 1 Openclaw | 2026-07-16 | 4.9 Medium |
| OpenClaw versions 2026.6.5 before 2026.6.9 contain a vulnerability in the plugin install wrappers that could skip the install policy (authorization) check. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path could execute or persist actions beyond the caller's intended authorization. Impact depends on the operator's configuration and whether lower-trust input can reach the affected path. The issue is fixed in 2026.6.9. | ||||
| CVE-2026-54997 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-07-16 | 5.5 Medium |
| Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally. | ||||
| CVE-2026-58595 | 1 Microsoft | 1 Bing Search | 2026-07-16 | 8.1 High |
| Improper restriction of rendered ui layers or frames in Microsoft Bing App for IOS allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-49784 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-07-16 | 7 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2024-7033 | 1 Openwebui | 1 Open Webui | 2026-07-16 | 7.2 High |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-7034 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-07-16 | 7.2 High |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-7038 | 1 Openwebui | 1 Open Webui | 2026-07-16 | 2.7 Low |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-7039 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-07-16 | 6.7 Medium |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-7959 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-07-16 | 7.7 High |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-7040 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-07-16 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2026-54733 | 2026-07-16 | N/A | ||
| The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1. | ||||
| CVE-2026-14960 | 2026-07-16 | 9.8 Critical | ||
| Pegatron `Tdelo64.sys` improperly exposes privileged hardware access functionality through the `\\.\TdeIo` device interface. IOCTL handlers including `TDE_IOCTL_INDEXIO_READ` and `TDE_IOCTL_INDEXIO_WRITE` permit unprivileged user-mode callers to perform arbitrary hardware I/O port reads and writes without authorization checks. A local attacker can abuse this functionality to manipulate hardware registers, tamper with firmware-related interfaces, cause system instability, or establish persistent low-level compromise. | ||||
| CVE-2026-11866 | 2026-07-16 | 5.4 Medium | ||
| The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator. | ||||