Export limit exceeded: 365260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 365260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 365260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365260 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42952 | 1 Hydro-québec | 1 Le Circuit Electrique Charging Station Backend | 2026-07-13 | 7.5 High |
| Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack. | ||||
| CVE-2026-44383 | 1 Hydro-québec | 1 Le Circuit Electrique Charging Station Backend | 2026-07-13 | 7.5 High |
| Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend. | ||||
| CVE-2026-13262 | 2 Ahmadmj, Wordpress | 2 Majestic Support – The Leading-edge Help Desk & Customer Support Plugin, Wordpress | 2026-07-13 | 6.5 Medium |
| The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user. | ||||
| CVE-2026-3367 | 2 Lustmored, Wordpress | 2 Lockme Calendars Integration, Wordpress | 2026-07-13 | 4.4 Medium |
| The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users. | ||||
| CVE-2026-12426 | 2 Supercleanse, Wordpress | 2 Members – Membership & User Role Editor Plugin, Wordpress | 2026-07-13 | 5.3 Medium |
| The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts. | ||||
| CVE-2026-2354 | 2 Wordpress, Wpmessiah | 2 Wordpress, Swiss Toolkit For Wp | 2026-07-13 | 8.8 High |
| The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats. | ||||
| CVE-2026-6803 | 2 Wordpress, Wupsales | 2 Wordpress, Ai Copilot – Content Generator | 2026-07-13 | 5.3 Medium |
| The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers. | ||||
| CVE-2026-57391 | 2 Tangible, Wordpress | 2 Loops & Logic, Wordpress | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3. | ||||
| CVE-2026-57713 | 2 Marcus (aka @msykes), Wordpress | 2 Events Manager, Wordpress | 2026-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6. | ||||
| CVE-2026-15539 | 1 Sourcecodester | 1 Online Book Store System | 2026-07-13 | 4.7 Medium |
| A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-14165 | 1 Dassault Systèmes | 1 Tuleap Enterprise Edition | 2026-07-13 | 7.5 High |
| An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization. | ||||
| CVE-2026-57829 | 2026-07-13 | N/A | ||
| The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS. | ||||
| CVE-2026-9708 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 4.9 Medium |
| Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683 | ||||
| CVE-2026-50135 | 1 Gohugo | 1 Hugo | 2026-07-13 | N/A |
| Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0. | ||||
| CVE-2026-28378 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-07-13 | 3.1 Low |
| The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. | ||||
| CVE-2026-56279 | 1 Cap-go | 1 Cap-go | 2026-07-13 | 7.5 High |
| Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles, management emails, and billing metadata. | ||||
| CVE-2026-56305 | 1 Cap-go | 1 Cap-go | 2026-07-13 | 8.3 High |
| Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate users and achieve full account takeover. | ||||
| CVE-2026-57726 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-13 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Kirki kirki allows Blind SQL Injection.This issue affects Kirki: from n/a through <= 6.0.12. | ||||
| CVE-2026-4769 | 1 Wago | 9 0765-110x/0100-0000, 0765-120x/0100-0000, 0765-150x/0100-0000 and 6 more | 2026-07-13 | 9.8 Critical |
| Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise. | ||||
| CVE-2026-15545 | 1 Shibby | 1 Tomato | 2026-07-13 | 8.8 High |
| A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly available and might be used. This project is superseded by FreshTomato. | ||||