Export limit exceeded: 365210 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365210 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-62147 | 1 Redhat | 1 Openshift Distributed Tracing | 2026-07-13 | 6.5 Medium |
| The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces. | ||||
| CVE-2026-55213 | 1 H2o | 1 H2o | 2026-07-13 | 7.5 High |
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1. | ||||
| CVE-2026-55881 | 1 Openreplay | 1 Openreplay | 2026-07-13 | N/A |
| OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the requester's tenant and did not verify that the session belonged to that project, allowing any authenticated low-privilege user to read another tenant's first 15 seconds of session-replay recording data. This issue is fixed in version 1.27.0. | ||||
| CVE-2026-61958 | 2026-07-13 | 5.4 Medium | ||
| Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: from n/a through <= 3.0.17. | ||||
| CVE-2026-55852 | 1 Frappe | 1 Frappe | 2026-07-13 | N/A |
| Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0. | ||||
| CVE-2026-57803 | 2026-07-13 | 7.5 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through <= 2.5.1. | ||||
| CVE-2026-58281 | 1 Microsoft | 1 Edge Chromium | 2026-07-13 | 8.3 High |
| Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-12761 | 2026-07-13 | 9.8 Critical | ||
| The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied — granting full administrator access. | ||||
| CVE-2026-57216 | 1 Rabbitmq | 1 Rabbitmq-server | 2026-07-13 | 6.8 Medium |
| RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, AMQP 0-9-1, AMQP 1.0, and Stream Protocol authentication can allow a loopback-restricted user such as guest to connect remotely when traffic is accepted through a trusted PROXY-protocol path and the backend listener is loopback-bound because the loopback check uses the listener-side socket address instead of the real client source. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. | ||||
| CVE-2026-57797 | 2 Thememove, Wordpress | 2 Edumall, Wordpress | 2026-07-13 | 4.3 Medium |
| Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1. | ||||
| CVE-2026-8921 | 1 Asus | 1 Asus Business Manager | 2026-07-13 | N/A |
| External Control of File Name or Path vulnerability in ASUS Business Manager allows a local user to execute arbitrary code with SYSTEM privileges via a tampered IPC message. Refer to the ' Security Update for ASUS Business Manager ' section on the ASUS Security Advisory for more information. | ||||
| CVE-2022-4990 | 1 Asus | 1 Ai Suite 3 | 2026-07-13 | N/A |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to bypass security validation and access restricted memory blocks via crafted IOCTL requests, leading to privilege escalation. | ||||
| CVE-2026-57368 | 2 Nootheme, Wordpress | 2 Jobmonster, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through <= 4.8.5. | ||||
| CVE-2026-57724 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This issue affects Kirki: from n/a through <= 6.0.12. | ||||
| CVE-2026-9820 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 3.8 Low |
| Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671 | ||||
| CVE-2026-6541 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 4.3 Medium |
| Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653 | ||||
| CVE-2026-15558 | 1 Codeastro | 1 Simple Online Leave Management System | 2026-07-13 | 6.3 Medium |
| A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-57407 | 2 Wordpress, Wpswings | 2 Wordpress, Pdf Generator For Wordpress | 2026-07-13 | 7.2 High |
| Server-Side Request Forgery (SSRF) vulnerability in WP Swings PDF Generator for WordPress pdf-generator-for-wp allows Server Side Request Forgery.This issue affects PDF Generator for WordPress: from n/a through <= 1.6.2. | ||||
| CVE-2026-59516 | 2026-07-13 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1. | ||||
| CVE-2026-57812 | 2 Nsquared, Wordpress | 2 Simply Schedule Appointments, Wordpress | 2026-07-13 | 6.5 Medium |
| Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.12.4. | ||||