Export limit exceeded: 363407 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 363407 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363407 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-24914 1 Qcubed 1 Qcubed 2026-07-04 9.8 Critical
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
CVE-2021-45420 1 Emerson 2 Dixell Xweb-500, Dixell Xweb-500 Firmware 2026-07-04 9.8 Critical
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced.
CVE-2020-24913 1 Qcubed 1 Qcubed 2026-07-04 9.8 Critical
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
CVE-2020-24036 1 Fork-cms 1 Fork Cms 2026-07-04 8.8 High
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
CVE-2020-27509 1 Galaxkey 1 Galaxkey 2026-07-04 5.4 Medium
Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the 'subject' field. The payload executes when the recipient logs into their mailbox.
CVE-2021-42912 1 Fiberhome 12 Aan5506-04-g2g Firmware, An5506-01-a, An5506-01-a Firmware and 9 more 2026-07-04 8.8 High
FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.
CVE-2022-37700 1 Easycorp 1 Zentao 2026-07-04 7.5 High
Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.
CVE-2020-22983 1 Microstrategy 1 Microstrategy Web 2026-07-04 8.1 High
A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task.
CVE-2022-25521 1 Nuuo 1 Network Video Recorder Firmware 2026-07-04 9.8 Critical
NUUO v03.11.00 was discovered to contain access control issue.
CVE-2022-33077 1 Nopcommerce 1 Nopcommerce 2026-07-04 7.5 High
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
CVE-2026-14684 1 Hdrhistogram 1 Hdrhistogram 2026-07-04 3.3 Low
A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2022-41542 1 Devhubapp 1 Devhub 2026-07-04 5.4 Medium
devhub 0.102.0 was discovered to contain a broken session control.
CVE-2026-14683 1 Hdrhistogram 1 Hdrhistogram 2026-07-04 3.3 Low
A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manipulation of the argument lengthOfCompressedContents results in uncontrolled memory allocation. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-14115 1 Google 1 Chrome 2026-07-04 7.5 High
Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14154 1 Google 1 Chrome 2026-07-04 4.8 Medium
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
CVE-2026-20460 1 Mediatek, Inc. 1 Mediatek Chipset 2026-07-04 5.3 Medium
In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.
CVE-2024-1248 1 Wso2 5 Wso2 Api Manager, Wso2 Identity Server, Wso2 Identity Server As Key Manager and 2 more 2026-07-04 4.8 Medium
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
CVE-2026-14660 1 Code-projects 1 Online Job Portal 2026-07-04 7.3 High
A vulnerability was found in code-projects Online Job Portal 1.0. The affected element is an unknown function of the file login.php. Performing a manipulation of the argument txtUser/txtPass results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
CVE-2026-14659 1 Itsourcecode 1 Hospital Management System 2026-07-04 6.3 Medium
A vulnerability has been found in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /patientappointment.php. Such manipulation of the argument patiente leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-14658 1 Code-projects 1 Assessment Management 2026-07-04 6.3 Medium
A vulnerability was detected in code-projects Assessment Management 1.0. This vulnerability affects unknown code of the file /lecturer/marking-scheme.php. The manipulation of the argument smarksrange[] results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.