Export limit exceeded: 362606 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 362606 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 362606 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (362606 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-44619 | 1 Tinxy | 2 Wifi Lock Controller V1 Rf, Wifi Lock Controller V1 Rf Firmware | 2026-07-05 | 9.1 Critical |
| Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. | ||||
| CVE-2023-39809 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2026-07-05 | 9.8 Critical |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain an OS command injection vulnerability via shell metacharacters in the system_hostname parameter at /manage/network-basic.php. | ||||
| CVE-2023-39808 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2026-07-05 | 9.8 Critical |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password that allows attackers to login with root privileges via the SSH service. The cleartext password corresponding to the $1$4Tmm01jl$7HRvcW.bz7uGmX9hiQWvR hash was not determined by the vulnerability discoverer. | ||||
| CVE-2023-39807 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2026-07-05 | 9.8 Critical |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a SQL injection vulnerability via the a_passwd parameter at /portal/user-register.php. | ||||
| CVE-2021-27821 | 1 Openwrt | 1 Luci | 2026-07-05 | 6.1 Medium |
| The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability. | ||||
| CVE-2024-23054 | 1 Plone | 1 Plone Docker Official Image | 2026-07-05 | 9.8 Critical |
| An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm). | ||||
| CVE-2023-47415 | 1 Cypress | 2 Ctm-200, Ctm-200 Firmware | 2026-07-05 | 7.5 High |
| Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter. | ||||
| CVE-2024-22873 | 1 Tencent | 2 Blueking Configuration Management Database, Cmdb | 2026-07-05 | 8.1 High |
| Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request. | ||||
| CVE-2026-8657 | 1 Benjamine | 1 Jsondiffpatch | 2026-07-05 | 8.2 High |
| Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype. | ||||
| CVE-2026-48939 | 1 Icagenda.com | 1 Icagenda Extension For Joomla | 2026-07-05 | N/A |
| A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. | ||||
| CVE-2025-56320 | 1 Cobblestone | 1 Enterprise Contract Management Portal | 2026-07-05 | 5.4 Medium |
| CobbleStone Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored Cross-Site Scripting (XSS) in its chat box component. This allows a remote attacker to execute arbitrary code. NOTE: the Supplier reports that this is "Present only in an obsolete, unsupported version no longer in circulation." | ||||
| CVE-2025-67316 | 2 Heytap, Realme | 3 Internet Browser, Coloros, Hey Tap Coloros Browser | 2026-07-05 | 5.4 Medium |
| An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser. NOTE: The supplier is currently disputing this finding and the record is under review. | ||||
| CVE-2024-55488 | 1 Umbraco | 1 Umbraco Cms | 2026-07-05 | 6.5 Medium |
| A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level. | ||||
| CVE-2024-48733 | 1 Sas | 1 Studio | 2026-07-05 | 8.8 High |
| SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users. | ||||
| CVE-2021-40905 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2026-07-05 | 8.8 High |
| The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner. | ||||
| CVE-2024-23082 | 2026-07-05 | N/A | ||
| ThreeTen Backport v1.6.8 was discovered to contain an integer overflow via the component org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. | ||||
| CVE-2020-21468 | 1 Redislabs | 1 Redis | 2026-07-05 | 7.5 High |
| A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). NOTE: the vendor cannot reproduce this issue in a released version, such as 5.0.7. | ||||
| CVE-2023-43303 | 1 Linecorp | 1 Line | 2026-07-05 | 8.2 High |
| An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token (via captured network traffic). | ||||
| CVE-2022-26597 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-07-05 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. | ||||
| CVE-2022-33098 | 1 Magnolia-cms | 1 Magnolia Cms | 2026-07-05 | 6.1 Medium |
| Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted SVG document, with JavaScript, for a profile picture. | ||||