Export limit exceeded: 351454 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351454 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351454 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45085 | 1 Gruparge | 1 Smartpower Web | 2026-05-18 | 6.5 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery. This issue affects Smartpower Web: before 23.01.01. | ||||
| CVE-2026-5163 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 | ||||
| CVE-2022-45091 | 1 Gruparge | 1 Smartpower Web | 2026-05-18 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This issue affects Smartpower Web: before 23.01.01. | ||||
| CVE-2026-3117 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | ||||
| CVE-2026-6347 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 7.6 High |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605 | ||||
| CVE-2018-25329 | 2 Wordpress, Wp-with-spritz | 2 Wordpress, Wp With Spritz | 2026-05-18 | 7.5 High |
| WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials. | ||||
| CVE-2026-6343 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | ||||
| CVE-2026-28732 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597 | ||||
| CVE-2022-45090 | 1 Gruparge | 1 Smartpower Web | 2026-05-18 | 8.8 High |
| Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. | ||||
| CVE-2026-6346 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 8.7 High |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 | ||||
| CVE-2026-6345 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 | ||||
| CVE-2026-6334 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.1 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570 | ||||
| CVE-2026-42288 | 1 Churchcrm | 1 Churchcrm | 2026-05-18 | 10 Critical |
| ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2. | ||||
| CVE-2026-2325 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608 | ||||
| CVE-2026-3471 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618 | ||||
| CVE-2026-3637 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627 | ||||
| CVE-2022-45089 | 1 Gruparge | 1 Smartpower Web | 2026-05-18 | 8.8 High |
| Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. | ||||
| CVE-2026-45397 | 1 Open-webui | 1 Open-webui | 2026-05-18 | 5.3 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission. This vulnerability is fixed in 0.9.5. | ||||
| CVE-2026-4273 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.7 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575 | ||||
| CVE-2026-3495 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 3.8 Low |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 | ||||