Export limit exceeded: 350586 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 350586 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 350586 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350586 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32643 | 1 F5 | 2 Big-ip, Big-iq | 2026-05-13 | 6.5 Medium |
| A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-39458 | 1 F5 | 1 Big-ip | 2026-05-13 | 7.5 High |
| When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-1497 | 1 Neo4j | 2 Enterprise Edition, Neo4j | 2026-05-13 | 7.2 High |
| Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any local database or remote alias called "name". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future. | ||||
| CVE-2026-6862 | 2 Redhat, Ubuntu | 4 Enterprise Linux, Openshift, Openshift Container Platform and 1 more | 2026-05-13 | 5.5 Medium |
| A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS). | ||||
| CVE-2026-29796 | 2 Igl, Igl-technologies | 2 Eparking.fi, Eparking.fi | 2026-05-13 | 9.4 Critical |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | ||||
| CVE-2026-31226 | 1 Jiayi-pan | 1 Tinyzero | 2026-05-13 | 9.8 Critical |
| The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process. | ||||
| CVE-2026-31243 | 1 Mem0ai | 1 Mem0 | 2026-05-13 | 6.5 Medium |
| The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service. | ||||
| CVE-2026-37428 | 2026-05-13 | N/A | ||
| qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII). | ||||
| CVE-2026-24464 | 1 F5 | 1 Big-ip | 2026-05-13 | 6.8 Medium |
| When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2020-37169 | 2 Ultimatemember, Wordpress | 2 Ultimate Member, Wordpress | 2026-05-13 | 5.5 Medium |
| WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code. | ||||
| CVE-2020-37174 | 2 Pluginus, Wordpress | 2 Husky - Products Filter Professional For Woocommerce, Wordpress | 2026-05-13 | 5.5 Medium |
| WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' and 'Custom front css styles' that executes on frontend pages when saved, affecting all site visitors. | ||||
| CVE-2020-37225 | 2 Powie, Wordpress | 2 Pfile, Wordpress | 2026-05-13 | 6.4 Medium |
| Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in the pwhois_settings.php configuration page to execute JavaScript in the admin context and escalate privileges. | ||||
| CVE-2026-42920 | 2026-05-13 | 7.5 High | ||
| When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-42409 | 2026-05-13 | 7.5 High | ||
| When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-41956 | 2026-05-13 | 7.5 High | ||
| When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-3087 | 2 Microsoft, Python | 3 Windows, Cpython, Python | 2026-05-13 | 7.5 High |
| If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. | ||||
| CVE-2026-8449 | 1 Linux | 1 Ksmbd | 2026-05-13 | N/A |
| This CVE ID has been rejected or withdrawn. | ||||
| CVE-2026-7168 | 1 Curl | 1 Curl | 2026-05-13 | 5.3 Medium |
| Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. | ||||
| CVE-2026-44872 | 1 Hpe | 1 Arubaos | 2026-05-13 | 7.2 High |
| A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device. | ||||
| CVE-2026-41471 | 2 Scott Paterson, Wordpress | 2 Easy-paypal-events-tickets, Wordpress | 2026-05-13 | 7.5 High |
| Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. | ||||