Export limit exceeded: 349587 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349587 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-35157 | 2026-05-11 | 5.8 Medium | ||
| Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution. | ||||
| CVE-2026-41907 | 1 Uuidjs | 1 Uuid | 2026-05-11 | 7.5 High |
| uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0. | ||||
| CVE-2025-31974 | 1 Hcltech | 1 Bigfix Service Management | 2026-05-11 | 3.9 Low |
| HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | ||||
| CVE-2022-50970 | 2 Getaawp, Wordpress | 2 Wordpress Plugin Aawp, Wordpress | 2026-05-11 | 5.4 Medium |
| WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users. | ||||
| CVE-2026-34760 | 2 Vllm, Vllm-project | 2 Vllm, Vllm | 2026-05-11 | 5.9 Medium |
| vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0. | ||||
| CVE-2021-47927 | 2 Wordpress, Wpsymposiumpro | 2 Wordpress, Wp Symposium Pro | 2026-05-11 | 6.4 Medium |
| WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed. | ||||
| CVE-2021-47933 | 3 Inspireui, Mstore, Wordpress | 3 Mstore Api, Mstore Api, Wordpress | 2026-05-11 | 9.8 Critical |
| WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server. | ||||
| CVE-2021-47940 | 2 Download-from-files, Wordpress | 2 Download From Files, Wordpress | 2026-05-11 | 9.8 Critical |
| WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root. | ||||
| CVE-2021-47947 | 1 Projectsend | 1 Projectsend | 2026-05-11 | 6.4 Medium |
| Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page. | ||||
| CVE-2026-26946 | 2026-05-11 | 6.7 Medium | ||
| Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper privilege management vulnerability in the OS. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges. | ||||
| CVE-2021-47910 | 2 Accesspressthemes, Wordpress | 2 Accesspress Social Icons, Wordpress | 2026-05-11 | 6.4 Medium |
| AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface. | ||||
| CVE-2022-50966 | 1 Ubidauction | 1 Ubidauction | 2026-05-11 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2025-14512 | 2 Gnome, Redhat | 4 Glib, Enterprise Linux, Hummingbird and 1 more | 2026-05-11 | 6.5 Medium |
| A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. | ||||
| CVE-2025-14087 | 2 Gnome, Redhat | 3 Glib, Enterprise Linux, Hummingbird | 2026-05-11 | 5.6 Medium |
| A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. | ||||
| CVE-2025-13033 | 1 Redhat | 3 Acm, Ceph Storage, Rhdh | 2026-05-11 | 7.5 High |
| A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls. | ||||
| CVE-2022-50960 | 2 Varun Sridharan, Wordpress | 2 International Sms For Contact Form, Wordpress | 2026-05-11 | 6.1 Medium |
| WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers. | ||||
| CVE-2022-50954 | 3 Cab-fare-calculator, Kanev, Wordpress | 3 Cab-fare-calculator, Cab Fare Calculator, Wordpress | 2026-05-11 | 6.2 Medium |
| WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory. | ||||
| CVE-2022-50944 | 1 Megatkc | 1 Aero Cms | 2026-05-11 | 8.8 High |
| Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server. | ||||
| CVE-2025-61669 | 1 Jupyter | 1 Jupyter Server | 2026-05-11 | 6.1 Medium |
| Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0. | ||||
| CVE-2026-40934 | 1 Jupyter | 1 Jupyter Server | 2026-05-11 | 6.8 Medium |
| Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0. | ||||