Export limit exceeded: 343028 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343028 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-53930 | 1 Projectsend | 1 Projectsend | 2026-04-07 | 7.5 High |
| ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php. | ||||
| CVE-2023-53929 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-04-07 | 8.8 High |
| phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. | ||||
| CVE-2023-53928 | 1 Php-fusion | 1 Phpfusion | 2026-04-07 | 5.4 Medium |
| PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | ||||
| CVE-2023-53927 | 2 Phpjabbers, Simple-cms Project | 2 Simple Cms, Simple Cms | 2026-04-07 | 5.4 Medium |
| PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution. | ||||
| CVE-2023-53926 | 2 Phpjabbers, Simple-cms Project | 2 Simple Cms, Simple Cms | 2026-04-07 | 9.8 Critical |
| PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or modify database information. | ||||
| CVE-2023-53925 | 1 Ulicms | 1 Ulicms | 2026-04-07 | 6.1 Medium |
| UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users. | ||||
| CVE-2023-53924 | 1 Ulicms | 1 Ulicms | 2026-04-07 | 8.8 High |
| UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads. | ||||
| CVE-2023-53923 | 1 Ulicms | 1 Ulicms | 2026-04-07 | 9.8 Critical |
| UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access. | ||||
| CVE-2026-35047 | 1 Ajax30 | 1 Bravecms-2.0 | 2026-04-07 | N/A |
| Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6. | ||||
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2026-04-07 | 9.8 Critical |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | ||||
| CVE-2023-53921 | 1 Sitemagic | 2 Sitemagic, Sitemagic Cms | 2026-04-07 | 9.8 Critical |
| SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands. | ||||
| CVE-2023-53920 | 1 Podcastgenerator | 1 Podcast Generator | 2026-04-07 | 5.4 Medium |
| PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute when users visit the application's home page. | ||||
| CVE-2023-53919 | 1 Podcastgenerator | 1 Podcast Generator | 2026-04-07 | 5.4 Medium |
| PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into the Freebox content execute when users visit the application's home page. | ||||
| CVE-2023-53918 | 1 Podcastgenerator | 1 Podcast Generator | 2026-04-07 | 6.1 Medium |
| PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page (episodes_list.php). | ||||
| CVE-2023-53917 | 1 Powerstonegh | 1 Affiliate Me | 2026-04-07 | 6.5 Medium |
| Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes. | ||||
| CVE-2023-53916 | 1 Zenphoto | 1 Zenphoto | 2026-04-07 | 4.6 Medium |
| Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context. | ||||
| CVE-2023-53915 | 1 Zenphoto | 1 Zenphoto | 2026-04-07 | 4.6 Medium |
| Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users view the album page. | ||||
| CVE-2023-53914 | 1 Ulicms | 1 Ulicms | 2026-04-07 | 9.8 Critical |
| UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access. | ||||
| CVE-2023-53913 | 1 Rukovoditel | 1 Rukovoditel | 2026-04-07 | 8.8 High |
| Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | ||||
| CVE-2023-53912 | 2 Malwarebytes, Microsoft | 2 Binosoft Usb Flash Drives Control, Windows | 2026-04-07 | 6.2 Medium |
| USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\USB Flash Drives Control\usbcs.exe' to inject malicious executables and escalate privileges on Windows systems. | ||||