Export limit exceeded: 361357 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361357 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361357 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56046 | 2026-06-26 | 6.5 Medium | ||
| Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions. | ||||
| CVE-2026-56059 | 2026-06-26 | 9.9 Critical | ||
| Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions. | ||||
| CVE-2026-57312 | 2026-06-26 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions. | ||||
| CVE-2026-57318 | 2026-06-26 | 6.5 Medium | ||
| Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions. | ||||
| CVE-2026-57325 | 2026-06-26 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions. | ||||
| CVE-2026-54090 | 1 Filebrowser | 1 Filebrowser | 2026-06-26 | N/A |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8. | ||||
| CVE-2026-57627 | 2026-06-26 | 4.9 Medium | ||
| Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions. | ||||
| CVE-2026-57633 | 2026-06-26 | 5.3 Medium | ||
| Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions. | ||||
| CVE-2026-57640 | 2026-06-26 | 4.3 Medium | ||
| Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions. | ||||
| CVE-2026-57646 | 2026-06-26 | 5.4 Medium | ||
| Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions. | ||||
| CVE-2026-57652 | 2026-06-26 | 5.3 Medium | ||
| Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions. | ||||
| CVE-2026-57658 | 2026-06-26 | 9.1 Critical | ||
| Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions. | ||||
| CVE-2026-57664 | 2026-06-26 | 4.3 Medium | ||
| Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions. | ||||
| CVE-2026-57874 | 1 Geovision Inc. | 1 Gv-lpclpc2011 2211 | 2026-06-26 | 7.5 High |
| An unauthenticated buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when parsing filename values in multipart upload data. A remote attacker may exploit this vulnerability by sending a crafted upload request with overly long input, causing memory corruption and resulting in a denial of service. | ||||
| CVE-2026-9717 | 1 Schneider-electric | 1 Powerlogic P7 | 2026-06-26 | N/A |
| CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service. | ||||
| CVE-2025-10268 | 2026-06-26 | 5.3 Medium | ||
| The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server. | ||||
| CVE-2026-45256 | 2026-06-26 | 5.5 Medium | ||
| When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS). | ||||
| CVE-2026-57873 | 1 Geovision Inc. | 1 Gv-lpclpc2011 2211 | 2026-06-26 | 7.5 High |
| An unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of multipart upload headers when processing certificate-related upload fields. A remote attacker may exploit this vulnerability by sending a malformed multipart request, causing the affected CGI process to crash and resulting in a denial of service. | ||||
| CVE-2026-12411 | 2026-06-26 | 8.4 High | ||
| Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled. | ||||
| CVE-2026-57872 | 1 Geovision Inc. | 1 Gv-lpclpc2011 2211 | 2026-06-26 | 7.5 High |
| An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied file path input before the requested file is accessed by the CGI component. A remote attacker may exploit this vulnerability by sending a crafted request to read arbitrary files accessible to the affected process, resulting in information disclosure. | ||||