Export limit exceeded: 364105 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364105 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-61977 | 2 Crocoblock, Wordpress | 2 Jetsearch, Wordpress | 2026-07-13 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2. | ||||
| CVE-2026-61985 | 2 Magepeopleteam, Wordpress | 2 Car Rental Manager, Wordpress | 2026-07-13 | 5.3 Medium |
| Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7. | ||||
| CVE-2026-22093 | 1 Evbee | 1 Evbee Service | 2026-07-13 | N/A |
| The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00. | ||||
| CVE-2026-57816 | 2 Funnelkit, Wordpress | 2 Funnel Builder By Funnelkit, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows Reflected XSS.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.15.0.8. | ||||
| CVE-2026-22095 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
| CVE-2026-22100 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root. | ||||
| CVE-2026-22096 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints. | ||||
| CVE-2026-22102 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means. | ||||
| CVE-2026-61971 | 2 Cozmoslabs, Wordpress | 2 User Profile Picture, Wordpress | 2026-07-13 | 2.7 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3. | ||||
| CVE-2026-22099 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL. | ||||
| CVE-2026-22097 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution. | ||||
| CVE-2026-22098 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| Various sensitive information such as passwords and charging card UIDs are written to log files. | ||||
| CVE-2026-22103 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The NPC start endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
| CVE-2026-14846 | 1 Prestashop | 1 The Firmware | 2026-07-13 | N/A |
| In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data. | ||||
| CVE-2026-13014 | 1 Thalesgroup | 1 Cert Suspicious | 2026-07-13 | N/A |
| A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent denial of service, the potential compromise of application secrets or integrations, and root-level execution inside the Django application container. This vulnerability has been names "Matryoshka Mail". Thales PSIRT acknowledges and thanks Lucien Doustaly (aka wlayzz) for discovering and reporting this issue. | ||||
| CVE-2026-14934 | 2 Google, Google Cloud | 3 Cloud Platform, Bigquery, Colab Enterprise | 2026-07-13 | N/A |
| A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover. This vulnerability was patched on 10 May 2026, and no customer action is needed. | ||||
| CVE-2026-9824 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 4.3 Medium |
| Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676 | ||||
| CVE-2026-60121 | 1 Vitec | 1 Flamingo | 2026-07-13 | 9.8 Critical |
| Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo. | ||||
| CVE-2026-61498 | 1 Vitec | 1 Flamingo | 2026-07-13 | 9.8 Critical |
| Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. Attackers can exploit the lack of input sanitization in the graph generation script, which passes user-supplied values directly to shell commands via passthru(), to execute arbitrary OS commands with root privileges due to the web server context having passwordless sudo access. | ||||
| CVE-2026-6847 | 1 4real | 1 Themisnetpanel | 2026-07-13 | N/A |
| Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026. | ||||