Export limit exceeded: 361620 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (361620 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-20458 1 Mediatek, Inc. 1 Mediatek Chipset 2026-07-02 7.5 High
In Modem, there is a possible memory corruption due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01402160; Issue ID: MSV-7298.
CVE-2026-20459 1 Mediatek, Inc. 1 Mediatek Chipset 2026-07-02 5.3 Medium
In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01816800; Issue ID: MSV-6842.
CVE-2026-20460 1 Mediatek, Inc. 1 Mediatek Chipset 2026-07-02 5.3 Medium
In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.
CVE-2026-20462 1 Mediatek, Inc. 1 Mediatek Chipset 2026-07-02 6.7 Medium
In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871.
CVE-2026-11568 2026-07-02 7.5 High
The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.
CVE-2026-11570 2026-07-02 4.2 Medium
The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.
CVE-2026-11880 2026-07-02 3.1 Low
The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.
CVE-2026-11887 2 Salonbookingsystem, Wordpress 2 Salon Booking System, Wordpress 2026-07-02 4.3 Medium
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.
CVE-2026-24247 1 Nvidia 1 Megatron-bridge 2026-07-02 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-24249 1 Nvidia 1 Megatron-bridge 2026-07-02 7.8 High
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
CVE-2026-24270 2026-07-02 9.8 Critical
NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2026-57680 2 Themeum, Wordpress 2 Kirki, Wordpress 2026-07-02 6.5 Medium
Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
CVE-2026-57681 2 Paolo, Wordpress 2 Geodirectory, Wordpress 2026-07-02 6.4 Medium
Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions.
CVE-2026-57682 2 Quantumcloud, Wordpress 2 Simple Link Directory, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions.
CVE-2026-57687 2 Hiroaki Miyashita, Wordpress 2 Custom Field Template, Wordpress 2026-07-02 8.5 High
Contributor SQL Injection in Custom Field Template <= 2.7.8 versions.
CVE-2026-46680 1 Containerd 1 Containerd 2026-07-02 N/A
containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.
CVE-2026-57737 2 Averta, Wordpress 2 Shortcodes And Extra Features For Phlox Theme, Wordpress 2026-07-02 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16.
CVE-2026-53492 1 Containerd 1 Containerd 2026-07-02 N/A
containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
CVE-2026-57355 2 Radiustheme, Wordpress 2 Classified Listing, Wordpress 2026-07-02 6.5 Medium
Subscriber Broken Access Control in Classified Listing <= 5.4.2 versions.
CVE-2026-57359 2 Reviewx, Wordpress 2 Reviewx, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ReviewX <= 2.3.10 versions.