Export limit exceeded: 361839 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361839 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-58451 | 1 Horde | 1 Imp | 2026-07-02 | 6.5 Medium |
| Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session. | ||||
| CVE-2026-14133 | 1 Google | 1 Chrome | 2026-07-02 | 4.3 Medium |
| Race in History Embeddings in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-12122 | 2 Themeum, Wordpress | 2 Kirki – Freeform Page Builder, Website Builder & Customizer, Wordpress | 2026-07-02 | 5.3 Medium |
| The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID. | ||||
| CVE-2026-27419 | 2 Wordpress, Zozothemes | 2 Wordpress, Zegen | 2026-07-02 | 9.9 Critical |
| Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions. | ||||
| CVE-2026-57764 | 2026-07-02 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. | ||||
| CVE-2026-57686 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. | ||||
| CVE-2026-57757 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. | ||||
| CVE-2026-57751 | 2026-07-02 | 8.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | ||||
| CVE-2026-4767 | 2026-07-02 | 9.8 Critical | ||
| Missing authentication for critical function vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. | ||||
| CVE-2026-57680 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-02 | 6.5 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions. | ||||
| CVE-2026-57678 | 2 Themepunch, Wordpress | 2 Slider Revolution, Wordpress | 2026-07-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16. | ||||
| CVE-2026-24270 | 2026-07-02 | 9.8 Critical | ||
| NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2026-58652 | 2026-07-02 | 7.5 High | ||
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||
| CVE-2026-58653 | 1 Praison | 1 Praisonai | 2026-07-02 | 4.3 Medium |
| PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints. | ||||
| CVE-2026-4772 | 2026-07-02 | 5.4 Medium | ||
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. | ||||
| CVE-2026-4770 | 2026-07-02 | 4.6 Medium | ||
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117. | ||||
| CVE-2026-57737 | 2 Averta, Wordpress | 2 Shortcodes And Extra Features For Phlox Theme, Wordpress | 2026-07-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16. | ||||
| CVE-2026-57359 | 2 Reviewx, Wordpress | 2 Reviewx, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in ReviewX <= 2.3.10 versions. | ||||
| CVE-2026-14449 | 2026-07-02 | N/A | ||
| u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components | ||||
| CVE-2026-55595 | 1 Imagemagick | 1 Imagemagick | 2026-07-02 | 4.7 Medium |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26. | ||||