Export limit exceeded: 367124 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 367124 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367124 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-11405 2026-07-16 9.8 Critical
The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
CVE-2026-14536 1 Devolutions 1 Server 2026-07-16 7.3 High
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
CVE-2026-55727 1 Genetec 1 Security Center 2026-07-16 7.5 High
A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to access live video streams.
CVE-2026-36162 1 Liquidfiles 1 Liquidfiles 2026-07-16 5.4 Medium
An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted payload into the Name parameter.
CVE-2026-36163 1 Liquidfiles 1 Liquidfiles 2026-07-16 5.4 Medium
An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.
CVE-2026-51937 1 Zhangyd-c 1 Oneblog 2026-07-16 7.5 High
An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component
CVE-2026-37271 2026-07-16 9.8 Critical
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.
CVE-2026-27844 2026-07-16 2.7 Low
Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service.  Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior.
CVE-2026-39178 1 Alinto 1 Sogo 2026-07-16 6.3 Medium
A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the search parameter of the allContactSearch endpoint.
CVE-2026-52200 2026-07-16 9.8 Critical
An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk
CVE-2026-24698 2026-07-16 7.2 High
An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
CVE-2026-14253 2026-07-16 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-11740 2026-07-16 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-56437 1 Fujielectric 1 Pupsman 2026-07-16 N/A
Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary code may be executed with SYSTEM privilege.
CVE-2026-57895 1 Fujielectric 1 Pupsman 2026-07-16 N/A
Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege
CVE-2026-57239 1 Foxitsoftware 2 Foxit Pdf Editor, Foxit Reader 2026-07-16 8.2 High
The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM.
CVE-2026-62826 1 Microsoft 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 2026-07-16 4.6 Medium
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-55137 1 Microsoft 14 365 Apps, Excel 2016, Microsoft Office 365 For Mac and 11 more 2026-07-16 7.8 High
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-50682 1 Microsoft 7 Windows 10 21h2, Windows 10 22h2, Windows 11 24h2 and 4 more 2026-07-16 7.1 High
Out-of-bounds read in Windows Active Directory allows an authorized attacker to deny service over a network.
CVE-2026-50647 1 Microsoft 14 .net, Windows 10 1607, Windows 10 1809 and 11 more 2026-07-16 7.5 High
Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.