Export limit exceeded: 358285 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358285 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34901 | 2026-06-15 | 9.8 Critical | ||
| Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | ||||
| CVE-2026-34898 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | ||||
| CVE-2026-34891 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions. | ||||
| CVE-2026-27407 | 2026-06-15 | 7.2 High | ||
| Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | ||||
| CVE-2026-27053 | 2026-06-15 | 9.8 Critical | ||
| Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | ||||
| CVE-2026-24637 | 2026-06-15 | 8.5 High | ||
| Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions. | ||||
| CVE-2026-9691 | 2026-06-15 | 9.8 Critical | ||
| Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | ||||
| CVE-2025-69332 | 2026-06-15 | 6.5 Medium | ||
| Subscriber Broken Access Control in Bookify <= 1.1.1 versions. | ||||
| CVE-2025-68872 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | ||||
| CVE-2025-68851 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | ||||
| CVE-2025-68049 | 2026-06-15 | 6.3 Medium | ||
| Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. | ||||
| CVE-2025-60175 | 2026-06-15 | 4.4 Medium | ||
| Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions. | ||||
| CVE-2026-49954 | 2026-06-15 | 7.2 High | ||
| Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user. | ||||
| CVE-2026-49953 | 2026-06-15 | 6.5 Medium | ||
| Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse. | ||||
| CVE-2026-49952 | 2026-06-15 | 9.1 Critical | ||
| Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users. | ||||
| CVE-2026-47835 | 2026-06-15 | 8.6 High | ||
| In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8). | ||||
| CVE-2026-41708 | 2026-06-15 | 7.5 High | ||
| In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13. | ||||
| CVE-2026-11931 | 1 Aws | 1 Kiro Ide | 2026-06-15 | 5.5 Medium |
| Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating. | ||||
| CVE-2026-42985 | 1 Microsoft | 30 Remote Desktop, Remote Desktop Client, Windows 10 1607 and 27 more | 2026-06-15 | 8.8 High |
| Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-42992 | 1 Microsoft | 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more | 2026-06-15 | 7.5 High |
| Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | ||||