Export limit exceeded: 365155 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365155 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-50992 | 1 Weaver | 1 E-cology | 2026-07-15 | 7.5 High |
| Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC). | ||||
| CVE-2022-50972 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-07-15 | 9.8 Critical |
| WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root. | ||||
| CVE-2022-50971 | 1 Malwarebytes | 1 Malwarebytes | 2026-07-15 | 7.8 High |
| Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root path. Attackers can place executable files in unquoted path directories that execute with LocalSystem privileges during service startup or system reboot. | ||||
| CVE-2022-50959 | 2 Wordpress, Wpdevart | 2 Wordpress, Contact Form Builder | 2026-07-15 | 6.1 Medium |
| WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2022-50956 | 2 Amministrazione Aperta Project, Wordpress | 2 Amministrazione Aperta, Wordpress | 2026-07-15 | 6.2 Medium |
| WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server. | ||||
| CVE-2022-50944 | 2 Aerocms Project, Megatkc | 2 Aerocms, Aero Cms | 2026-07-15 | 8.8 High |
| Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server. | ||||
| CVE-2022-50943 | 1 Moodle | 1 Moodle | 2026-07-15 | 6.1 Medium |
| Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | ||||
| CVE-2021-47979 | 3 Miniorange, Wordpress, Wpbackitup | 3 Backup And Restore, Wordpress, Backup And Restore Wordpress | 2026-07-15 | 8.8 High |
| WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory. | ||||
| CVE-2021-47950 | 2 Ampps, Simplephpscripts | 2 Advanced Guestbook, Guestbook Script | 2026-07-15 | 6.4 Medium |
| Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | ||||
| CVE-2021-47941 | 2 Modalsurvey, Wordpress | 3 Survey & Poll, Wordpress Survey And Poll, Wordpress | 2026-07-15 | 8.2 High |
| WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database. | ||||
| CVE-2021-47932 | 2 Thecartpress, Wordpress | 2 Thecartpress, Wordpress | 2026-07-15 | 9.8 Critical |
| WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | ||||
| CVE-2021-47925 | 2 Cmdbuild, Tecnoteca | 2 Cmdbuild, Cmdbuild | 2026-07-15 | 6.4 Medium |
| CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments. | ||||
| CVE-2021-47903 | 2 Litespeed Technologies, Litespeedtech | 2 Litespeed Web Server, Litespeed Web Server | 2026-07-15 | 8.8 High |
| LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. | ||||
| CVE-2021-47889 | 2 Cd-messenger Project, Softros Systems | 2 Cd-messenger, Lan Messenger | 2026-07-15 | 7.8 High |
| Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges. | ||||
| CVE-2021-47815 | 2 Nsasoft, Nsauditor | 2 Nsauditor, Nsauditor | 2026-07-15 | 7.5 High |
| Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. | ||||
| CVE-2021-47778 | 2 Get-simple, Netexplorer | 2 Getsimplecms, My Smtp Contact | 2026-07-15 | 7.2 High |
| GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | ||||
| CVE-2021-47736 | 1 Cmsimple-xh | 1 Cmsimple Xh | 2026-07-15 | 7.2 High |
| CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server. | ||||
| CVE-2021-47708 | 2 Bosch, Commax | 2 Smart Home, Smart Home System | 2026-07-15 | N/A |
| COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access. | ||||
| CVE-2021-4474 | 3 Ruckus, Ruckussecurity, Ruckuswireless | 9 Ruckus Unleashed, Smartzone 100-d (sz100-d) (eol), Smartzone 100 (sz-100) (eol) and 6 more | 2026-07-15 | 4.9 Medium |
| Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive information including configuration files, credentials, and system data stored on the device. | ||||
| CVE-2020-37255 | 2 Wordpress, Wptimecapsule | 2 Wordpress, Wp Time Capsule | 2026-07-15 | 7.5 High |
| WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials. | ||||