Export limit exceeded: 351356 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351356 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6379 | 2 Wordpress, Wp Photo Album Plus Project | 2 Wordpress, Wp Photo Album Plus | 2026-05-18 | N/A |
| The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks. | ||||
| CVE-2026-6339 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636 | ||||
| CVE-2026-6347 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 7.6 High |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605 | ||||
| CVE-2026-6343 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | ||||
| CVE-2026-6346 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 8.7 High |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 | ||||
| CVE-2026-6345 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 | ||||
| CVE-2026-6333 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.5 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 | ||||
| CVE-2026-4643 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.5 Low |
| Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633 | ||||
| CVE-2026-3471 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618 | ||||
| CVE-2026-5163 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 | ||||
| CVE-2026-4320 | 2026-05-18 | N/A | ||
| Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials. | ||||
| CVE-2026-8781 | 1 Omec-project | 1 Amf | 2026-05-18 | 4.3 Medium |
| A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues. | ||||
| CVE-2026-8802 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-05-18 | 4.3 Medium |
| A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8788 | 1 Rrwo | 1 Net::statsd::lite | 2026-05-18 | N/A |
| Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. | ||||
| CVE-2026-6334 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.1 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570 | ||||
| CVE-2026-3495 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.8 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 | ||||
| CVE-2026-6342 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | ||||
| CVE-2026-41119 | 2026-05-18 | 6.8 Medium | ||
| Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to loss of confidentiality and integrity. | ||||
| CVE-2026-2325 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608 | ||||
| CVE-2026-3637 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627 | ||||