Export limit exceeded: 358859 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358859 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33997 | 2 Docker, Moby | 2 Engine, Moby | 2026-06-16 | 6.8 Medium |
| Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1. | ||||
| CVE-2026-25836 | 1 Fortinet | 3 Fortisandbox Cloud, Fortisandboxcloud, Fortisandboxpaas | 2026-06-16 | 6.7 Medium |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2026-26791 | 1 Gl-inet | 3 Ar300m16, Ar300m16 Firmware, Gl-ar300m16 | 2026-06-16 | 9.8 Critical |
| GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2026-26792 | 1 Gl-inet | 3 Ar300m16, Ar300m16 Firmware, Gl-ar300m16 | 2026-06-16 | 9.8 Critical |
| GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type parameters. These vulnerabilities allow attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2026-26795 | 1 Gl-inet | 3 Ar300m16, Ar300m16 Firmware, Gl-ar300m16 | 2026-06-16 | 9.8 Critical |
| GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2026-32746 | 1 Gnu | 1 Inetutils | 2026-06-16 | 9.8 Critical |
| telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | ||||
| CVE-2026-49768 | 2 Happyforms, Wordpress | 2 Happyforms, Wordpress | 2026-06-16 | 9.8 Critical |
| Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | ||||
| CVE-2026-53475 | 1 Kubev2v | 2 Assisted-migration-agent, Assisted Migration Agent | 2026-06-16 | 9.3 Critical |
| A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter. | ||||
| CVE-2026-40772 | 2026-06-16 | 10 Critical | ||
| Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions. | ||||
| CVE-2026-40796 | 2026-06-16 | 6.5 Medium | ||
| Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions. | ||||
| CVE-2026-42384 | 2 Nsquared, Wordpress | 2 Simply Schedule Appointments, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. | ||||
| CVE-2026-45441 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions. | ||||
| CVE-2026-53474 | 2 Kebev2v, Kubev2v | 2 Migration Assessment, Migration-planner | 2026-06-16 | 9.6 Critical |
| A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment. | ||||
| CVE-2026-49110 | 2 Wordpress, Wp Swings | 2 Wordpress, Upsell Order Bump Offer For Woocommerce | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions. | ||||
| CVE-2026-48878 | 2026-06-16 | 6.5 Medium | ||
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions. | ||||
| CVE-2026-49109 | 2026-06-16 | 9.8 Critical | ||
| Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | ||||
| CVE-2026-49766 | 2026-06-16 | 9.9 Critical | ||
| Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | ||||
| CVE-2026-39491 | 2 Artbees, Wordpress | 2 Jupiter X Core, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions. | ||||
| CVE-2026-48870 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions. | ||||
| CVE-2026-26830 | 2 Mooz, Pdf-image Project | 2 Pdf-image, Pdf-image | 2026-06-16 | 9.8 Critical |
| pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec() | ||||