Export limit exceeded: 366369 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (366369 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-25327 1 Joomsky 1 Js Jobs 2026-07-15 5.3 Medium
Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modify component settings when administrators visit attacker-controlled pages.
CVE-2018-25324 2 Simple Fields Project, Wordpress 2 Simple Fields, Wordpress 2026-07-15 6.2 Medium
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4. Attackers can supply malicious wp_abspath values to simple_fields.php to include files like /etc/passwd or inject PHP code into Apache logs for remote code execution when allow_url_include is enabled.
CVE-2018-25317 1 Tenda 6 A302, A302 Firmware, W3002r and 3 more 2026-07-15 9.8 Critical
Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.
CVE-2018-25316 1 Tenda 2 W308r, W308r Firmware 2026-07-15 9.8 Critical
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.
CVE-2018-25307 2 Flexense, Sysgauge 2 Sysgauge, Sysgauge Pro 2026-07-15 8.4 High
SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock key. Attackers can inject shellcode through the Unlock Key field during registration to execute arbitrary code with application privileges.
CVE-2018-25296 2 Fireeye, P10 2 Central Management, Central Management Software 2026-07-15 5.5 Medium
P10 Central Management Software 1.4.13 contains a buffer overflow vulnerability in the login password field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 2000-byte payload into the password field and click login to trigger an application crash and denial of service.
CVE-2018-25264 1 Acutesystems 1 Transmac 2026-07-15 6.2 Medium
TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Attackers can generate a payload file containing 4000 bytes of data, paste it into the License Key field, and trigger a denial of service condition.
CVE-2018-25243 2 Caspie, Fasttube 2 Fast Tube, Fasttube 2026-07-15 6.2 Medium
FastTube 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Attackers can paste a buffer of 1900 characters into the search bar and trigger a crash when the search operation is executed.
CVE-2018-25236 1 Belden 2 Hirschmann Hios, Hirschmann Hisecos 2026-07-15 9.8 Critical
Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.
CVE-2018-25212 2 Boxoft, Vmware 2 Wav To Wma Converter, Converter Enterprise Client 2026-07-15 8.4 High
Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Attackers can create a specially crafted WAV file with excessive data and ROP gadgets to overwrite the SEH chain and achieve code execution on Windows systems.
CVE-2018-25207 2 Ays-pro, Hscripts 2 Quiz Maker, Online Quiz Maker 2026-07-15 7.1 High
Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication.
CVE-2018-25203 2 Online Store System Project, Wecodex 2 Online Store System, Online Store System Cms 2026-07-15 8.2 High
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.
CVE-2018-25193 1 Cesanta 2 Mongoose, Mongoose Web Server 2026-07-15 7.5 High
Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources and cause service unavailability.
CVE-2017-20273 2 Joomlashowroom, Vcita 2 Event Registration Pro Calendar, Event Registration Calendar By Vcita 2026-07-15 8.2 High
Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information.
CVE-2017-20268 2 Apereo, Zcontent 2 Bw-calendar-engine, Zap Calendar Lite 2026-07-15 8.2 High
Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures.
CVE-2017-20229 2 Invisible-island, Mawk 2 Mawk, Mawk 2026-07-15 9.8 Critical
MAWK 1.3.3-17 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting inadequate boundary checks on user-supplied input. Attackers can craft malicious input that overflows the stack buffer and execute a return-oriented programming chain to spawn a shell with application privileges.
CVE-2016-20094 1 Anydesk 1 Anydesk 2026-07-15 7.8 High
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.
CVE-2016-20093 2 Wise, Wisecleaner 2 Wisecleaner, Wise Care 365 2026-07-15 7.8 High
Wise Care 365 4.27 and Wise Disk Cleaner 9.29 contain unquoted service path vulnerabilities in the WiseBootAssistant and SpyHunter 4 Service respectively, allowing local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that execute during service startup or system reboot with elevated privileges.
CVE-2016-20091 2 Malwarebytes, Microsoft 2 Binisoft Windows Firewall Control, Windows Firewall 2026-07-15 7.8 High
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot.
CVE-2016-20085 2 Dell, Realtek 2 Realtek High Definition Audio Driver, Realtek High Definition Audio Driver 2026-07-15 7.8 High
Realtek High Definition Audio Driver 6.0.1.6730 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by placing a malicious executable in the service path. Attackers can insert an executable file in the unquoted path and restart the service to execute code with LocalSystem privileges.