Export limit exceeded: 365573 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (365573 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-47261 1 Bytecodealliance 1 Wasmtime 2026-06-16 7.5 High
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
CVE-2025-59133 2 Projectopia, Wordpress 2 Projectopia, Wordpress 2026-06-16 7.5 High
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
CVE-2026-9260 2026-06-16 6.2 Medium
Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
CVE-2026-27089 2 Magepeople, Wordpress 2 Wptravelly, Wordpress 2026-06-16 7.5 High
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
CVE-2026-9187 2026-06-16 5.3 Medium
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.
CVE-2026-39465 2 Metaslider, Wordpress 2 Responsive Slider By Metaslider, Wordpress 2026-06-16 9.1 Critical
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
CVE-2026-39478 2026-06-16 8.8 High
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
CVE-2026-50255 2026-06-16 N/A
Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges.
CVE-2026-39493 2 Nsquared, Wordpress 2 Simply Schedule Appointments, Wordpress 2026-06-16 9.3 Critical
Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.
CVE-2026-39533 2026-06-16 7.5 High
Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions.
CVE-2026-40743 2 Themeum, Wordpress 2 Tutor Lms, Wordpress 2026-06-16 6.5 Medium
Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
CVE-2026-40779 2026-06-16 7.7 High
Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions.
CVE-2026-10825 1 Moxa 1 Nport 6000-g2 Series 2026-06-16 N/A
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
CVE-2026-40215 1 Openvpn 1 Openvpn 2026-06-16 N/A
A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.
CVE-2026-39490 2 Artbees, Wordpress 2 Jupiter X Core, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
CVE-2026-49106 2 Crmperks, Wordpress 2 Integration For Contact Form 7 And Constant Contact, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
CVE-2026-49765 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
CVE-2026-6964 2026-06-16 5.3 Medium
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.
CVE-2026-39581 2 Activity-log.com, Wordpress 2 Wp Sessions Time Monitoring Full Automatic, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.
CVE-2026-52714 2026-06-16 7.5 High
Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.