Export limit exceeded: 364105 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364105 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364105 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-15595 1 Sourcecodester 1 Class And Exam Timetabling System 2026-07-13 4.3 Medium
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-21039 1 Samsung 1 Mobile Devices 2026-07-13 N/A
Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.
CVE-2026-21043 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-13 N/A
Path traversal in Wallpaper service prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system server privilege.
CVE-2026-21046 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-13 N/A
Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows local privileged attackers to execute arbitrary code.
CVE-2026-21048 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-13 N/A
Out-of-bounds write in parsing DNG format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allows remote attackers to write out-of-bounds memory.
CVE-2026-21051 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-13 N/A
Incorrect default permissions in WLAN security prior to SMR Jul-2026 Release 1 allows local attackers to configure TencentWifiSecurity settings.
CVE-2026-21052 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-13 N/A
Path traversal in SemClipboardService prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system privilege.
CVE-2026-21053 1 Samsung Mobile 1 Samsung Email 2026-07-13 N/A
Improper input validation in Samsung Email prior to version 6.2.13.1 allows local attackers to create arbitrary files within the application sandbox.
CVE-2026-14906 1 Mozilla 1 Firefox For Ios 2026-07-13 5.3 Medium
Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. This vulnerability was fixed in Firefox for iOS 152.4.
CVE-2026-58410 2026-07-13 7.1 High
ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another family’s `familyId` and access records outside their own family scope. The backend trusts the attacker-controlled `familyId` and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family’s record. This breaks the intended EditSelf scope and allows access to unrelated congregation records. This issue has been fixed in version 7.4.0.
CVE-2026-21054 1 Samsung Mobile 1 Inputsharing 2026-07-13 N/A
Improper export of android application components in InputSharing prior to version 2.7.01.4 allows local attackers to access sharing data.
CVE-2026-21055 1 Samsung Mobile 1 Bixby 2026-07-13 N/A
Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.
CVE-2026-21056 1 Samsung Mobile 1 Samsung Health 2026-07-13 N/A
Improper authorization in Samsung Health prior to version 7.00.0.107 allows local attackers to access connected device information.
CVE-2026-12276 2026-07-13 5.3 Medium
The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.
CVE-2026-15594 1 Waooai 1 Waoowaoo 2026-07-13 3.7 Low
A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-58409 2026-07-13 9.1 Critical
ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution (RCE) on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWED_EXTENSIONS list, while the dangerous extensions denylist (DENIED_EXTENSIONS) fails to block standard .php files. Because `php` is explicitly included in the allowed extension list for plugin archives, and extracted files are placed directly under the web root, any PHP file inside the ZIP becomes immediately executable via HTTP — without even needing to "enable" the plugin through the application UI. The /plugins/install-url API route (management.php) allows an administrator to source the malicious ZIP from any attacker-controlled HTTPS URL, validating it only against an attacker-supplied SHA-256 hash. This issue has been fixed in version 7.4.0.
CVE-2026-48363 2026-07-13 8.2 High
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
CVE-2026-48364 2026-07-13 8.2 High
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
CVE-2026-56689 1 Dell 1 Powerflex Manager 2026-07-13 7.7 High
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
CVE-2026-54469 1 Dell 1 Unisphere For Powermax 2026-07-13 8.8 High
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.