Export limit exceeded: 362505 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (362505 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57748 | 2 Shopify Help Center, Wordpress | 2 Shopify, Wordpress | 2026-07-06 | 7.5 High |
| Contributor Local File Inclusion in Shopify <= 1.0.0 versions. | ||||
| CVE-2026-57750 | 2 Keksdieb, Wordpress | 2 Ez Form Calculator Premium, Wordpress | 2026-07-06 | 5.3 Medium |
| Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions. | ||||
| CVE-2026-57751 | 2 Heateor Support, Wordpress | 2 Heateor Social Login, Wordpress | 2026-07-06 | 8.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | ||||
| CVE-2026-57753 | 2 Nathanbarry, Wordpress | 2 Kit (formerly Convertkit) For Woocommerce, Wordpress | 2026-07-06 | 5.3 Medium |
| Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions. | ||||
| CVE-2026-57755 | 2 Misbah Wp, Wordpress | 2 Mosaic Gallery – Advanced Gallery, Wordpress | 2026-07-06 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Mosaic Gallery – Advanced Gallery <= 1.2.0 versions. | ||||
| CVE-2026-57756 | 2 Wordpress, 友人a丶 | 2 Wordpress, Nicen-localize-image | 2026-07-06 | 8.5 High |
| Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions. | ||||
| CVE-2026-57757 | 2 Ploudapp, Wordpress | 2 Pcloud Wp Backup, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. | ||||
| CVE-2026-57761 | 2 Blueastralthemes, Wordpress | 2 Seowp, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions. | ||||
| CVE-2026-57762 | 2 Andrew Fiebert, Wordpress | 2 Simple Urls, Wordpress | 2026-07-06 | 5.9 Medium |
| Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions. | ||||
| CVE-2026-57763 | 2 Gordon Böhme, Wordpress | 2 Structured Content, Wordpress | 2026-07-06 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions. | ||||
| CVE-2026-57764 | 2 Surbma, Wordpress | 2 Surbma | Yoast Seo Breadcrumb Shortcode, Wordpress | 2026-07-06 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. | ||||
| CVE-2026-57760 | 2 Sendcloud, Wordpress | 2 Sendcloud Shipping, Wordpress | 2026-07-06 | 5.3 Medium |
| Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29. | ||||
| CVE-2026-58652 | 1 Openwrt | 2 Luci-app-travelmate, Travelmate | 2026-07-06 | 7.5 High |
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||
| CVE-2026-12167 | 1 Little Orbit | 1 Gamefirst Anti-cheat | 2026-07-06 | 7.8 High |
| The Minifilter communication port for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to access privileged driver functionality via a communication interface that lacks appropriate access restrictions. | ||||
| CVE-2026-12166 | 1 Little Orbit | 1 Gamefirst Anti-cheat | 2026-07-06 | 5.5 Medium |
| A NULL pointer dereference vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to cause a denial of service via crafted requests that trigger a system crash. | ||||
| CVE-2026-12168 | 1 Little Orbit | 1 Gamefirst Anti-cheat | 2026-07-06 | 7.8 High |
| An improper validation vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port. | ||||
| CVE-2026-58455 | 1 Notifiarr | 1 Dockwatch | 2026-07-06 | 9.8 Critical |
| Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket. | ||||
| CVE-2026-8699 | 1 Tp-link | 1 Archer C5 | 2026-07-06 | N/A |
| A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field. An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings. The vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers. | ||||
| CVE-2024-14037 | 1 Redsea Cloud | 1 Ehr | 2026-07-06 | 9.8 Critical |
| Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed image/jpeg Content-Type to bypass the absence of extension and MIME type validation, with the uploaded file stored at a predictable path under the uploadfile directory and executed directly by the web server. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-11-03 (UTC). | ||||
| CVE-2022-50973 | 1 Yonyou | 1 Ksoa | 2026-07-06 | 9.8 Critical |
| Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC). | ||||