Export limit exceeded: 360021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (360021 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47216 | 1 Typesense | 1 Typesense | 2026-06-12 | N/A |
| Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to terminate. This issue can be exploited over the network without authentication and results in service unavailability. The duration of impact may vary depending on system configuration and dataset size. This issue has been patched in versions 29.1 and 30.2. | ||||
| CVE-2026-53406 | 1 Zoom Communications | 1 Remote Control For Zoom Contact Center | 2026-06-12 | 7.8 High |
| Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access. | ||||
| CVE-2026-28742 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 9.8 Critical |
| Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform. | ||||
| CVE-2026-50101 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 8.1 High |
| Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding. | ||||
| CVE-2026-50108 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 7.5 High |
| The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications. | ||||
| CVE-2026-42947 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 8.8 High |
| A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware. | ||||
| CVE-2026-42932 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 5.3 Medium |
| Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated. | ||||
| CVE-2026-50244 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 5.3 Medium |
| The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration. | ||||
| CVE-2026-50099 | 1 Naxclow | 4 Ix Cam, Smart Doorbell X3, V720 and 1 more | 2026-06-12 | 4.6 Medium |
| During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks. | ||||
| CVE-2026-43872 | 1 Actualbudget | 1 Actual | 2026-06-12 | N/A |
| Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue. | ||||
| CVE-2022-42479 | 2 Templatehouse, Wordpress | 2 Soledad, Wordpress | 2026-06-12 | 5.4 Medium |
| Missing Authorization vulnerability in TemplateHouse Soledad allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Soledad: from n/a through 8.2.5. | ||||
| CVE-2022-44630 | 2 Wordpress, Yith | 2 Wordpress, Yith Woocommerce Product Slider Carousel | 2026-06-12 | 4.6 Medium |
| Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: from n/a through 1.16.0. | ||||
| CVE-2026-11561 | 1 Soagen Informatics | 1 Apinizer | 2026-06-12 | 9.8 Critical |
| Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection. This issue affects Apinizer: from 2026.04.0 before 2026.04.6. | ||||
| CVE-2026-11816 | 1 Keras-team | 1 Keras | 2026-06-12 | 8.1 High |
| Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines. | ||||
| CVE-2026-9648 | 1 Haskell Programming Language | 1 Crypton-certificate | 2026-06-12 | 9.1 Critical |
| The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope. | ||||
| CVE-2026-11839 | 1 Basarsoft | 1 Rotaban | 2026-06-12 | 9.9 Critical |
| Unrestricted upload of file with dangerous type vulnerability in Başarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server. This issue affects Rotaban: from V2026.06.002 before V2026.06.003. | ||||
| CVE-2026-46698 | 2 Stefanbohacek, Wordpress | 2 Fediverse-embeds-wordpress-plugin, Wordpress | 2026-06-12 | 5.3 Medium |
| Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9. | ||||
| CVE-2026-46697 | 2 Stefanbohacek, Wordpress | 2 Fediverse-embeds-wordpress-plugin, Wordpress | 2026-06-12 | 7.5 High |
| Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8. | ||||
| CVE-2026-47157 | 1 Subzeroid | 1 Aiograpi | 2026-06-12 | 6.5 Medium |
| aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms. | ||||
| CVE-2026-44168 | 1 Mariadb | 1 Server | 2026-06-12 | 8 High |
| MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | ||||