Export limit exceeded: 361045 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361045 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12242 | 2 Adegans, Wordpress | 2 Adrotate Banner Manager, Wordpress | 2026-06-24 | 8.8 High |
| The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings. | ||||
| CVE-2026-57282 | 1 Jenkins Project | 1 Jenkins Git Client Plugin | 2026-06-24 | 5 Medium |
| Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent. | ||||
| CVE-2026-57286 | 1 Jenkins Project | 1 Jenkins Git Parameter Plugin | 2026-06-24 | 4.3 Medium |
| A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata. | ||||
| CVE-2026-57287 | 1 Jenkins Project | 1 Jenkins Job Configuration History Plugin | 2026-06-24 | 4.3 Medium |
| Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted. | ||||
| CVE-2026-42450 | 1 Academysoftwarefoundation | 1 Opencolorio | 2026-06-24 | N/A |
| OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue. | ||||
| CVE-2026-57289 | 1 Jenkins Project | 1 Jenkins Bitbucket Push And Pull Request Plugin | 2026-06-24 | 4.8 Medium |
| Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token. | ||||
| CVE-2026-57290 | 1 Jenkins Project | 1 Jenkins Priority Sorter Plugin | 2026-06-24 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration. | ||||
| CVE-2026-57291 | 1 Jenkins Project | 1 Jenkins Gitee Plugin | 2026-06-24 | 5.4 Medium |
| Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. | ||||
| CVE-2026-57292 | 1 Jenkins Project | 1 Jenkins Gitee Plugin | 2026-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. | ||||
| CVE-2026-57293 | 1 Jenkins Project | 1 Jenkins Gitee Plugin | 2026-06-24 | 4.3 Medium |
| An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2026-57294 | 1 Jenkins Project | 1 Jenkins Ec2 Fleet Plugin | 2026-06-24 | 5.4 Medium |
| A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins. | ||||
| CVE-2026-57295 | 1 Jenkins Project | 1 Jenkins Ec2 Fleet Plugin | 2026-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins. | ||||
| CVE-2026-57296 | 1 Jenkins Project | 1 Jenkins External Workspace Manager Plugin | 2026-06-24 | 8.8 High |
| Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution. | ||||
| CVE-2026-57297 | 2 Jenkins, Jenkins Project | 2 Contrast Continuous Application Security, Jenkins Contrast Continuous Application Security Plugin | 2026-06-24 | N/A |
| A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key. | ||||
| CVE-2026-57298 | 2 Jenkins, Jenkins Project | 2 Contrast Continuous Application Security, Jenkins Contrast Continuous Application Security Plugin | 2026-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key. | ||||
| CVE-2026-57299 | 2 Jenkins, Jenkins Project | 2 Contrast Continuous Application Security, Jenkins Contrast Continuous Application Security Plugin | 2026-06-24 | N/A |
| Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata. | ||||
| CVE-2026-57300 | 1 Jenkins Project | 1 Jenkins Mcp Server Plugin | 2026-06-24 | 4.3 Medium |
| A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access. | ||||
| CVE-2026-57301 | 1 Jenkins Project | 1 Jenkins Owasp Zap Plugin | 2026-06-24 | 8.8 High |
| Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller. | ||||
| CVE-2026-57302 | 1 Jenkins Project | 1 Jenkins Fitnesse Plugin | 2026-06-24 | 4.3 Medium |
| Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2026-57304 | 1 Jenkins Project | 1 Jenkins Assembla Plugin | 2026-06-24 | 5.4 Medium |
| A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. | ||||