Export limit exceeded: 349775 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349775 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-50963 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2022-50968 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2022-50969 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2021-47929 | 2 Filterable-portfolio, Wordpress | 2 Filterable Portfolio Gallery, Wordpress | 2026-05-10 | 6.4 Medium |
| Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page. | ||||
| CVE-2021-47930 | 1 Balbooa | 1 Balbooa Joomla Forms Builder | 2026-05-10 | 8.2 High |
| Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information. | ||||
| CVE-2021-47944 | 1 Memono | 1 Notepad | 2026-05-10 | 7.5 High |
| memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | ||||
| CVE-2021-47950 | 1 Ampps | 1 Advanced Guestbook | 2026-05-10 | 6.4 Medium |
| Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | ||||
| CVE-2026-45190 | 1 Stigtsp | 1 Net::cidr::lite | 2026-05-10 | N/A |
| Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191. | ||||
| CVE-2026-7864 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information. | ||||
| CVE-2026-44127 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. | ||||
| CVE-2026-44128 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval. | ||||
| CVE-2026-44129 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | ||||
| CVE-2026-44125 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | ||||
| CVE-2026-44126 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object. | ||||
| CVE-2026-8178 | 1 Aws | 1 Amazon-redshift-jdbc-driver | 2026-05-10 | 8.1 High |
| An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later. | ||||
| CVE-2026-42452 | 1 Termix | 1 Termix | 2026-05-10 | 8.1 High |
| Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0. | ||||
| CVE-2026-42453 | 1 Termix | 1 Termix | 2026-05-10 | N/A |
| Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0. | ||||
| CVE-2026-42454 | 1 Termix | 1 Termix | 2026-05-10 | 9.9 Critical |
| Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0. | ||||
| CVE-2025-15633 | 1 Hcltech | 1 Bigfix Webui | 2026-05-10 | N/A |
| An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | ||||
| CVE-2025-15634 | 1 Hcltech | 1 Bigfix Webui | 2026-05-10 | N/A |
| A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | ||||