Export limit exceeded: 359603 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359603 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69164 | 2 Themerex, Wordpress | 2 Skyward, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Skyward <= 1.10 versions. | ||||
| CVE-2025-69170 | 2 Themerex, Wordpress | 2 Eventicity, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions. | ||||
| CVE-2025-69175 | 2 Themerex, Wordpress | 2 Line Agency, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions. | ||||
| CVE-2026-39445 | 2 Presslayouts, Wordpress | 2 Alukas, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions. | ||||
| CVE-2026-39559 | 2 Codesupplyco, Wordpress | 2 Uppercase, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. | ||||
| CVE-2026-40738 | 2 Edge-themes, Wordpress | 2 Eldon, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions. | ||||
| CVE-2026-40752 | 2 Select-themes, Wordpress | 2 Manufaktur Solutions, Wordpress | 2026-06-20 | 8.1 High |
| Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions. | ||||
| CVE-2026-49108 | 2 Park Of Ideas, Wordpress | 2 Moderno, Wordpress | 2026-06-20 | 9.8 Critical |
| Unauthenticated PHP Object Injection in Moderno < 1.43 versions. | ||||
| CVE-2025-60229 | 2 Themeton, Wordpress | 2 Lagom, Wordpress | 2026-06-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0. | ||||
| CVE-2025-60230 | 2 Themeton, Wordpress | 2 The Barber Shop, Wordpress | 2026-06-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9. | ||||
| CVE-2026-54819 | 2 Webilia Inc., Wordpress | 2 Listdom, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0. | ||||
| CVE-2026-54815 | 2 Cargo Rd, Wordpress | 2 Cargo Shipping Location For Woocommerce, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. | ||||
| CVE-2025-60231 | 2 Emv, Wordpress | 2 The Hospital, Wordpress | 2026-06-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1. | ||||
| CVE-2025-60236 | 2 Emv, Wordpress | 2 Creatify, Wordpress | 2026-06-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5. | ||||
| CVE-2025-69128 | 2 Emv, Wordpress | 2 Jobcareer, Wordpress | 2026-06-20 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3. | ||||
| CVE-2025-69189 | 2 Emv, Wordpress | 2 Jobbank, Wordpress | 2026-06-20 | 7.3 High |
| Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3. | ||||
| CVE-2026-54808 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel Gutenberg Blocks | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4. | ||||
| CVE-2026-54809 | 2 Villatheme, Wordpress | 2 Gift4u, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10. | ||||
| CVE-2026-48117 | 1 Fduflyer | 1 Droneaware-node-releases | 2026-06-20 | 6.8 Medium |
| DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable. | ||||
| CVE-2026-55743 | 1 Tinyhumansai | 1 Openhuman | 2026-06-20 | 9.6 Critical |
| The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find. | ||||