Export limit exceeded: 365250 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365250 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57800 | 2026-07-13 | 7.5 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.5. | ||||
| CVE-2026-61955 | 2 Hannan, Wordpress | 2 گرویتی فرم فارسی, Wordpress | 2026-07-13 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through <= 3.0.2. | ||||
| CVE-2026-61956 | 2 Hamsalam, Wordpress | 2 ووسلام – همگام سازی ووکامرس و باسلام, Wordpress | 2026-07-13 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in hamsalam ووسلام – همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام – همگام سازی ووکامرس و باسلام: from n/a through <= 1.9.1. | ||||
| CVE-2026-61970 | 2 Themeisle, Wordpress | 2 Auto Featured Image (auto Post Thumbnail), Wordpress | 2026-07-13 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <= 5.0.4. | ||||
| CVE-2026-57810 | 2 Saad Iqbal, Wordpress | 2 Apiexperts Square For Woocommerce, Wordpress | 2026-07-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.4. | ||||
| CVE-2026-61977 | 2 Crocoblock, Wordpress | 2 Jetsearch, Wordpress | 2026-07-13 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2. | ||||
| CVE-2026-61985 | 2 Magepeopleteam, Wordpress | 2 Car Rental Manager, Wordpress | 2026-07-13 | 5.3 Medium |
| Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7. | ||||
| CVE-2026-22093 | 1 Evbee | 1 Evbee Service | 2026-07-13 | N/A |
| The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00. | ||||
| CVE-2026-57816 | 2 Funnelkit, Wordpress | 2 Funnel Builder By Funnelkit, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows Reflected XSS.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.15.0.8. | ||||
| CVE-2026-22095 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
| CVE-2026-22100 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root. | ||||
| CVE-2026-22096 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints. | ||||
| CVE-2026-22102 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means. | ||||
| CVE-2026-61971 | 2 Cozmoslabs, Wordpress | 2 User Profile Picture, Wordpress | 2026-07-13 | 2.7 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3. | ||||
| CVE-2026-22099 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL. | ||||
| CVE-2026-22097 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution. | ||||
| CVE-2026-22098 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| Various sensitive information such as passwords and charging card UIDs are written to log files. | ||||
| CVE-2026-22103 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The NPC start endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
| CVE-2026-14846 | 1 Prestashop | 1 The Firmware | 2026-07-13 | N/A |
| In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data. | ||||
| CVE-2026-13014 | 1 Thalesgroup | 1 Cert Suspicious | 2026-07-13 | N/A |
| A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent denial of service, the potential compromise of application secrets or integrations, and root-level execution inside the Django application container. This vulnerability has been names "Matryoshka Mail". Thales PSIRT acknowledges and thanks Lucien Doustaly (aka wlayzz) for discovering and reporting this issue. | ||||