Export limit exceeded: 352648 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352648 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4834 | 2 Wedevs, Wordpress | 2 Wp Erp, Wordpress | 2026-05-22 | 7.5 High |
| The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-9018 | 2 Themewant, Wordpress | 2 Easy Elements For Elementor – Addons & Website Templates, Wordpress | 2026-05-22 | 8.8 High |
| The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request. | ||||
| CVE-2026-8134 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-43058 | 1 Linux | 1 Linux Kernel | 2026-05-22 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix pass-by-value structs causing MSAN warnings vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their argument structs by value, causing MSAN to report uninit-value warnings. While only vidtv_ts_null_write_into() has triggered a report so far, both functions share the same issue. Fix by passing both structs by const pointer instead, avoiding the stack copy of the struct along with its MSAN shadow and origin metadata. The functions do not modify the structs, which is enforced by the const qualifier. | ||||
| CVE-2026-43060 | 1 Linux | 1 Linux Kernel | 2026-05-22 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies. | ||||
| CVE-2023-1833 | 1 Redline | 1 Router Firmware | 2026-05-22 | 9.8 Critical |
| Authentication Bypass by Primary Weakness vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue affects Redline Router: before 7.17. | ||||
| CVE-2023-1863 | 1 Eskom | 1 El Terminali \(su Okuma\) Uygulamalarimiz | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eskom Water Metering Software allows Command Line Execution through SQL Injection. This issue affects Water Metering Software: before 23.04.06. | ||||
| CVE-2023-1873 | 1 Faturamatik | 1 Bircard | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Faturamatik Bircard allows SQL Injection. This issue affects Bircard: before 23.04.05. | ||||
| CVE-2023-2045 | 1 Ipekyolunet | 1 Software Auto Damage Tracking Software | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ipekyolu Software Auto Damage Tracking Software allows SQL Injection. This issue affects Auto Damage Tracking Software: before 4. | ||||
| CVE-2023-2046 | 1 Yontemizleme | 1 Vehicle Tracking System | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yontem Informatics Vehicle Tracking System allows SQL Injection. This issue affects Vehicle Tracking System: before 8. | ||||
| CVE-2023-2064 | 1 Minovateknoloji | 1 Etrace | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Minova Technology eTrace allows SQL Injection. This issue affects eTrace: before 23.05.20. | ||||
| CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2026-05-22 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass. This issue affects Cargo Tracking System: before 3558f28 . | ||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2026-05-22 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass. This issue affects Competition Management System: before 23.07. | ||||
| CVE-2023-2703 | 1 Finexmedia | 1 Competition Management System | 2026-05-22 | 7.5 High |
| Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users. This issue affects Competition Management System: before 23.07. | ||||
| CVE-2023-2712 | 1 Rental Module Project | 1 Rental Module | 2026-05-22 | 9.8 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server. This issue affects Rental Module: before 23.05.15. | ||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2026-05-22 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass. This issue affects Rental Module: before 23.05.15. | ||||
| CVE-2023-2750 | 1 Cityboss | 1 E-municipality | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cityboss E-municipality allows SQL Injection. This issue affects E-municipality: before 6.05. | ||||
| CVE-2023-2851 | 1 Agtteknik | 1 Ceppatron | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AGT Tech Ceppatron allows Command Line Execution through SQL Injection, SQL Injection. This issue affects all versions of the sofware also EOS when CVE-ID assigned. | ||||
| CVE-2023-2852 | 1 Softmedyazilim | 1 Selfpatron | 2026-05-22 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Softmed SelfPatron allows SQL Injection. This issue affects SelfPatron : before 2.0. | ||||
| CVE-2023-2853 | 1 Softmedyazilim | 1 Selfpatron | 2026-05-22 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softmed SelfPatron allows Reflected XSS. This issue affects SelfPatron : before 2.0. | ||||