Export limit exceeded: 351491 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351491 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37234 | 1 Tonec | 1 Internet Download Manager | 2026-05-18 | 6.2 Medium |
| Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to trigger a denial of service condition. | ||||
| CVE-2020-37240 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-05-18 | 6.4 Medium |
| Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which execute when viewing the User List page. | ||||
| CVE-2020-37246 | 2 Supsystic, Wordpress | 2 Backup, Wordpress | 2026-05-18 | 6.2 Medium |
| Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter. | ||||
| CVE-2021-47955 | 1 Couchcms | 1 Couchcms | 2026-05-18 | 5.4 Medium |
| CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which are then executed in users' browsers when the files are accessed or previewed. | ||||
| CVE-2018-25338 | 2 Bylancer, Zechat Project | 2 Zechat, Zechat | 2026-05-18 | 8.2 High |
| Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit the hashtag parameter with union-based payloads to retrieve table and column names. | ||||
| CVE-2021-47972 | 1 Sticky-notes-color-widgets | 1 Sticky Notes Color Widgets | 2026-05-18 | 7.5 High |
| Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can paste large payloads of repeated characters into note fields to trigger application crashes and make the application stop responding. | ||||
| CVE-2021-47978 | 1 Processmaker | 1 Processmaker | 2026-05-18 | 6.2 Medium |
| ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication. | ||||
| CVE-2026-8735 | 1 Oinone | 1 Pamirs | 2026-05-18 | 6.3 Medium |
| A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8741 | 1 Emqx | 1 Emqx | 2026-05-18 | 3.1 Low |
| A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8750 | 1 H2oai | 1 H2o-3 | 2026-05-18 | 5.3 Medium |
| A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-32848 | 2026-05-18 | 4.7 Medium | ||
| NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory. | ||||
| CVE-2018-25327 | 1 Joomsky | 1 Js Jobs | 2026-05-18 | 5.3 Medium |
| Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modify component settings when administrators visit attacker-controlled pages. | ||||
| CVE-2018-25333 | 1 Nordex-online | 1 N149 Wind Turbine Web Server | 2026-05-18 | 8.2 High |
| Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloads in the login field to extract sensitive database information and bypass authentication mechanisms. | ||||
| CVE-2018-25339 | 2 Bylancer, Zechat Project | 2 Zechat, Zechat | 2026-05-18 | 8.2 High |
| Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the v parameter with sleep-based blind injection to confirm vulnerability and extract data. | ||||
| CVE-2026-8756 | 1 Fishaudio | 1 Bert-vits2 | 2026-05-18 | 7.3 High |
| A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8766 | 2 Kilo, Kilo-org | 2 Kilo Code, Kilocode | 2026-05-18 | 4.3 Medium |
| A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8772 | 1 Linlinjava | 1 Litemall | 2026-05-18 | 4.7 Medium |
| A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8779 | 1 Omec-project | 1 Amf | 2026-05-18 | 4.3 Medium |
| A vulnerability was determined in omec-project amf up to 2.1.3-dev. Impacted is the function NGSetupRequest of the file ngap/handler.go. Executing a manipulation of the argument InformationElement can lead to memory corruption. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.2.0 is recommended to address this issue. The affected component should be upgraded. The same pull request fixes multiple security issues. | ||||
| CVE-2026-8785 | 1 Projectworlds | 2 Hospital-management-system-in-php, Hospital Management System In Php | 2026-05-18 | 7.3 High |
| A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-41119 | 2026-05-18 | 6.8 Medium | ||
| Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to loss of confidentiality and integrity. | ||||