Export limit exceeded: 352169 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352169 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-71214 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71215 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7 High |
| A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71216 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71217 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-13479 | 1 Poscube | 1 Qr Menu | 2026-05-22 | 7.5 High |
| Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1815 | 1 Turkiye Electricity Transmission Corporation | 1 Mobile Application | 2026-05-22 | 5.7 Medium |
| Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13. | ||||
| CVE-2026-1816 | 1 Turkiye Electricity Transmission Corporation | 1 Mobile Application | 2026-05-22 | 6.3 Medium |
| Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13. | ||||
| CVE-2026-46473 | 1 Tchatzi | 1 Authen::totp | 2026-05-22 | 7.5 High |
| Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. | ||||
| CVE-2026-34911 | 1 Ubiquiti | 31 Efg, Envr, Envr-core and 28 more | 2026-05-22 | 7.7 High |
| A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information. | ||||
| CVE-2026-2518 | 2 Wordpress, Wpxpo | 2 Wordpress, Fastx | 2026-05-22 | 4.3 Medium |
| The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin. | ||||
| CVE-2026-25608 | 1 Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy | 1 Ster | 2026-05-22 | N/A |
| STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5. | ||||
| CVE-2026-5755 | 1 Mattermost | 1 Mattermost | 2026-05-22 | 6.5 Medium |
| Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648 | ||||
| CVE-2026-27349 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-05-22 | 4.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5. | ||||
| CVE-2026-28764 | 1 Mediaarea | 1 Mediainfo | 2026-05-22 | 7.8 High |
| MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | ||||
| CVE-2026-39531 | 2 Wordpress, Wpdirectorykit | 2 Wordpress, Wp Directory Kit | 2026-05-22 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0. | ||||
| CVE-2026-48213 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48214 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute and an inline JavaScript string literal. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48215 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48216 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema) directly into HTML form input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48217 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||