Export limit exceeded: 362808 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9389 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-46955 | 1 Oracle | 1 Human Resources | 2026-06-19 | 7.5 High |
| Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | ||||
| CVE-2026-46785 | 1 Oracle | 1 Webcenter Content | 2026-06-19 | 9.3 Critical |
| Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). | ||||
| CVE-2026-46787 | 1 Oracle | 1 Webcenter Content | 2026-06-19 | 8 High |
| Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 8.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N). | ||||
| CVE-2026-46786 | 1 Oracle | 1 Webcenter Content | 2026-06-18 | 9.6 Critical |
| Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | ||||
| CVE-2026-9591 | 1 Simplcommerce | 1 Simplcommerce | 2026-06-18 | N/A |
| Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection. | ||||
| CVE-2026-46894 | 1 Oracle | 1 Isupplier Portal | 2026-06-18 | 8 High |
| Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). | ||||
| CVE-2026-54359 | 1 Misp | 1 Misp | 2026-06-15 | N/A |
| MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user’s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it. | ||||
| CVE-2026-49396 | 1 Nezhahq | 1 Nezha | 2026-06-13 | 7.1 High |
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14. | ||||
| CVE-2022-44630 | 2 Wordpress, Yith | 2 Wordpress, Yith Woocommerce Product Slider Carousel | 2026-06-12 | 4.6 Medium |
| Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: from n/a through 1.16.0. | ||||
| CVE-2026-48612 | 1 Phpbb | 1 Phpbb | 2026-06-12 | N/A |
| Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover. | ||||
| CVE-2026-53736 | 2 Bplugins, Wordpress | 2 Easy Twitter Feed, Wordpress | 2026-06-11 | 4.3 Medium |
| Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type. | ||||
| CVE-2024-32110 | 2 Magepeopleteam, Wordpress | 2 Wpevently, Wordpress | 2026-06-11 | 4.3 Medium |
| Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2. | ||||
| CVE-2026-53739 | 3 Duplicate Post Project, Wordpress, Yoast | 3 Duplicate Post, Wordpress, Yoast Duplicate Post | 2026-06-11 | 4.3 Medium |
| Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide. | ||||
| CVE-2022-47150 | 2 Wedevs, Wordpress | 2 Woocommerce Conversion Tracking, Wordpress | 2026-06-11 | 4.3 Medium |
| Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10. | ||||
| CVE-2025-58468 | 1 Qnap Systems | 1 Notification Center | 2026-06-10 | N/A |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later | ||||
| CVE-2026-11195 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-10 | 6.5 Medium |
| Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-11194 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-10 | 6.5 Medium |
| Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-39170 | 1 Sem-cms | 1 Semcms | 2026-06-10 | 6.3 Medium |
| SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php. | ||||
| CVE-2026-10553 | 2 Weaverlancegmailcom, Wordpress | 2 Jquery Hover Footnotes, Wordpress | 2026-06-09 | 4.3 Medium |
| The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend. | ||||
| CVE-2026-8904 | 2 Wordpress, Yuluma | 2 Wordpress, Fastpicker, An Order Picker And Order Management System (oms) For Woocommerce On Steroids | 2026-06-09 | 4.3 Medium |
| The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||