Export limit exceeded: 352467 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352467 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27393 | 2 Tobias, Wordpress | 2 Cf7 Wow Styler, Wordpress | 2026-05-22 | 5.3 Medium |
| Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6. | ||||
| CVE-2026-5118 | 2 Divi Engine, Wordpress | 2 Divi Form Builder, Wordpress | 2026-05-22 | 9.8 Critical |
| The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration. | ||||
| CVE-2025-13477 | 1 Digital Operations Services Inc. | 1 Wifiburada | 2026-05-22 | 7.1 High |
| Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-71214 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71215 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7 High |
| A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71216 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-71217 | 1 Trendmicro | 1 Apexone Op | 2026-05-22 | 7.8 High |
| An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | ||||
| CVE-2025-13479 | 1 Poscube | 1 Qr Menu | 2026-05-22 | 7.5 High |
| Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1815 | 1 Turkiye Electricity Transmission Corporation | 1 Mobile Application | 2026-05-22 | 5.7 Medium |
| Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13. | ||||
| CVE-2026-1816 | 1 Turkiye Electricity Transmission Corporation | 1 Mobile Application | 2026-05-22 | 6.3 Medium |
| Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13. | ||||
| CVE-2026-46473 | 1 Tchatzi | 1 Authen::totp | 2026-05-22 | 7.5 High |
| Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. | ||||
| CVE-2026-34911 | 1 Ubiquiti | 31 Efg, Envr, Envr-core and 28 more | 2026-05-22 | 7.7 High |
| A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information. | ||||
| CVE-2026-2518 | 2 Wordpress, Wpxpo | 2 Wordpress, Fastx | 2026-05-22 | 4.3 Medium |
| The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin. | ||||
| CVE-2026-8679 | 2 Cssigniterteam, Wordpress | 2 Audioigniter Music Player, Wordpress | 2026-05-22 | 7.5 High |
| The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status. | ||||
| CVE-2026-25608 | 1 Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy | 1 Ster | 2026-05-22 | N/A |
| STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5. | ||||
| CVE-2026-5755 | 1 Mattermost | 1 Mattermost | 2026-05-22 | 6.5 Medium |
| Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648 | ||||
| CVE-2026-27349 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-05-22 | 4.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5. | ||||
| CVE-2026-28764 | 1 Mediaarea | 1 Mediainfo | 2026-05-22 | 7.8 High |
| MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | ||||
| CVE-2026-34926 | 1 Trendmicro | 2 Apexone Op, Apexone Saas | 2026-05-22 | 6.7 Medium |
| A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability. | ||||
| CVE-2026-39531 | 2 Wordpress, Wpdirectorykit | 2 Wordpress, Wp Directory Kit | 2026-05-22 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0. | ||||