Export limit exceeded: 358957 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358957 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69110 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions. | ||||
| CVE-2025-60223 | 2026-06-17 | 7.7 High | ||
| Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot <= 13.6.5 versions. | ||||
| CVE-2025-60218 | 2026-06-17 | 9.9 Critical | ||
| Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions. | ||||
| CVE-2025-60205 | 2026-06-17 | 9.8 Critical | ||
| Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions. | ||||
| CVE-2025-59560 | 2026-06-17 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Sonaar <= 4.27.4 versions. | ||||
| CVE-2025-58954 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions. | ||||
| CVE-2025-58953 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Joly <= 1.22.0 versions. | ||||
| CVE-2025-58952 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Neuronet < 1.14.0 versions. | ||||
| CVE-2024-52488 | 2026-06-17 | 9.9 Critical | ||
| Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. | ||||
| CVE-2024-49269 | 2026-06-17 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. | ||||
| CVE-2026-20133 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-06-17 | 6.5 Medium |
| A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system. | ||||
| CVE-2026-25836 | 1 Fortinet | 3 Fortisandbox Cloud, Fortisandboxcloud, Fortisandboxpaas | 2026-06-17 | 6.7 Medium |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2026-26795 | 1 Gl-inet | 3 Ar300m16, Ar300m16 Firmware, Gl-ar300m16 | 2026-06-17 | 9.8 Critical |
| GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2026-32746 | 1 Gnu | 1 Inetutils | 2026-06-17 | 9.8 Critical |
| telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | ||||
| CVE-2026-31386 | 2 Litespeed Technologies, Litespeedtech | 4 Lsws Enterprise, Openlitespeed, Litespeed Web Server and 1 more | 2026-06-17 | N/A |
| OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege. | ||||
| CVE-2026-26830 | 2 Mooz, Pdf-image Project | 2 Pdf-image, Pdf-image | 2026-06-17 | 9.8 Critical |
| pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec() | ||||
| CVE-2026-26831 | 1 Dbashford | 1 Textract | 2026-06-17 | 9.8 Critical |
| textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization | ||||
| CVE-2026-26832 | 1 Zapolnoch | 2 Node-tesseract-ocr, Tesseract Ocr | 2026-06-17 | 9.8 Critical |
| node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization | ||||
| CVE-2026-12465 | 1 Google | 1 Chrome | 2026-06-17 | N/A |
| Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-28575 | 1 Google | 1 Android | 2026-06-17 | N/A |
| In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||