Export limit exceeded: 361692 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (361692 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-14430 1 Google 1 Chrome 2026-07-02 8.8 High
Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14416 1 Google 1 Chrome 2026-07-02 9.6 Critical
Out of bounds read in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-57342 2 Shortpixel, Wordpress 2 Shortpixel Adaptive Images, Wordpress 2026-07-02 6.5 Medium
Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.
CVE-2026-57347 2 Jetmonsters, Wordpress 2 Hotel Booking Lite, Wordpress 2026-07-02 6.5 Medium
Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.
CVE-2026-57348 2 Cozmoslabs, Wordpress 2 Paid Member Subscriptions, Wordpress 2026-07-02 7.2 High
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.
CVE-2026-57349 2 Etruel, Wordpress 2 Wpematico Rss Feed Fetcher, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.
CVE-2026-57353 2026-07-02 6.5 Medium
Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.
CVE-2026-4770 2026-07-02 4.6 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.
CVE-2026-55794 2026-07-02 N/A
Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.
CVE-2026-57730 2026-07-02 4.3 Medium
Subscriber Broken Access Control in Flatsome <= 3.20.5 versions.
CVE-2026-57750 2026-07-02 5.3 Medium
Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
CVE-2026-57763 2026-07-02 6.5 Medium
Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
CVE-2026-57269 1 Geovision Inc. 1 Geowebplayer 2026-07-02 8.3 High
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. #### disconnect command index-out-of-bound
CVE-2026-57760 2026-07-02 5.3 Medium
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.
CVE-2026-57270 1 Geovision Inc. 1 Geowebplayer 2026-07-02 8.3 High
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. #### play command index-out-of-bound
CVE-2026-57756 2026-07-02 8.5 High
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
CVE-2026-57271 1 Geovision Inc. 1 Geowebplayer 2026-07-02 8.3 High
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. #### pause command index-out-of-bound
CVE-2026-42382 2026-07-02 8.1 High
Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
CVE-2026-12657 2 Latepoint, Wordpress 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress 2026-07-02 5.3 Medium
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
CVE-2026-57273 1 Geovision Inc. 1 Geowebplayer 2026-07-02 8.3 High
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits. #### Buffer Overflow in username field (no key present)