Export limit exceeded: 12363 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12363 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40790 | 2 Veronalabs, Wordpress | 2 Wp Sms, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions. | ||||
| CVE-2026-48970 | 2 Really-simple-plugins, Wordpress | 2 Really Simple Ssl, Wordpress | 2026-06-16 | 8.1 High |
| Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions. | ||||
| CVE-2026-40781 | 2 Reviewx, Wordpress | 2 Reviewx, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions. | ||||
| CVE-2026-40767 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions. | ||||
| CVE-2026-49764 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-06-16 | 9.8 Critical |
| Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | ||||
| CVE-2026-10611 | 1 Misp | 1 Misp | 2026-06-16 | 10.0 Critical |
| An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required. | ||||
| CVE-2026-42668 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions. | ||||
| CVE-2026-42411 | 2026-06-15 | 8.1 High | ||
| Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions. | ||||
| CVE-2026-40799 | 2026-06-15 | 5.8 Medium | ||
| Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions. | ||||
| CVE-2026-40785 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions. | ||||
| CVE-2026-39450 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||||
| CVE-2026-48114 | 2026-06-15 | 9.8 Critical | ||
| Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0. | ||||
| CVE-2026-12212 | 1 Hcengineering | 1 Huly Platform | 2026-06-15 | 4.3 Medium |
| A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-50627 | 1 Apache | 1 Cxf | 2026-06-15 | 9.1 Critical |
| The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | ||||
| CVE-2026-42378 | 2026-06-15 | 6.5 Medium | ||
| Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions. | ||||
| CVE-2026-44783 | 1 Discourse | 1 Discourse | 2026-06-15 | 5.4 Medium |
| Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | ||||
| CVE-2026-45503 | 1 Microsoft | 9 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 6 more | 2026-06-15 | 8.1 High |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | ||||
| CVE-2025-53786 | 1 Microsoft | 6 Exchange, Exchange Server, Exchange Server 2016 and 3 more | 2026-06-15 | 8 High |
| On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. | ||||
| CVE-2026-45654 | 1 Microsoft | 8 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 5 more | 2026-06-15 | 7.9 High |
| Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-41092 | 1 Microsoft | 26 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 23 more | 2026-06-15 | 7.8 High |
| Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. | ||||