Export limit exceeded: 361192 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361192 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8592 | 1 Rapid7 | 1 Insightconnect Awk Plugin | 2026-06-26 | 7.7 High |
| OS Command Injection vulnerability in the process_string action of Rapid7 InsightConnect AWK Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to unsafe shell command construction in the processing pipeline. | ||||
| CVE-2026-8666 | 1 Rapid7 | 1 Insightconnect Traceroute Plugin | 2026-06-26 | 7.7 High |
| OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host, port, max_ttl, count, or time_out request parameters due to insufficient input validation when constructing shell commands. | ||||
| CVE-2026-8662 | 1 Rapid7 | 1 Insightconnect Compression Plugin | 2026-06-26 | 3.3 Low |
| Path Traversal vulnerability in the create_archive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker. | ||||
| CVE-2026-8658 | 1 Rapid7 | 1 Insightconnect Tcpdump Plugin | 2026-06-26 | 6 Medium |
| OS Command Injection vulnerability in Rapid7 InsightConnect Tcpdump Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the options or filter parameters due to insufficient input sanitization in shell command construction. | ||||
| CVE-2026-5305 | 3 Email Encoder, Simple Mail Address Encoder Project, Wordpress | 3 Email Encoder, Simple Mail Address Encoder, Wordpress | 2026-06-26 | 8.8 High |
| The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks | ||||
| CVE-2026-9702 | 2 Inpost Pl, Wordpress | 2 Inpost Pl, Wordpress | 2026-06-26 | 7.5 High |
| The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site. | ||||
| CVE-2026-12937 | 2 Themefic, Wordpress | 2 Tourfic – Ai Powered Travel Booking, Hotel Booking & Car Rental Wordpress Plugin, Wordpress | 2026-06-26 | 7.5 High |
| The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path. | ||||
| CVE-2026-56129 | 2 Dynabook, Toshiba Corporation | 2 Generic Io & Memory Access Driver, Generic Io & Memory Access Driver | 2026-06-26 | 5.5 Medium |
| Generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user with no administrative privilege may access physical memory. | ||||
| CVE-2026-56130 | 1 Apache | 1 Shiro | 2026-06-26 | N/A |
| "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue. | ||||
| CVE-2026-54838 | 2 Rymera Web Co, Wordpress | 2 Wc Vendors Marketplace, Wordpress | 2026-06-26 | 8.5 High |
| Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions. | ||||
| CVE-2026-54843 | 2 Pluginus.net, Wordpress | 2 Mdtf, Wordpress | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in MDTF <= 1.3.7 versions. | ||||
| CVE-2026-54844 | 2 Checkview, Wordpress | 2 Checkview Automated Testing, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions. | ||||
| CVE-2026-54845 | 2 Pluginus.net, Wordpress | 2 Mdtf, Wordpress | 2026-06-26 | 8.1 High |
| Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions. | ||||
| CVE-2026-56013 | 2 Mycred, Wordpress | 2 License Manager For Woocommerce, Wordpress | 2026-06-26 | 6.5 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions. | ||||
| CVE-2026-57429 | 2 Elightup, Wordpress | 2 Slim Seo, Wordpress | 2026-06-26 | 6.5 Medium |
| Contributor Broken Access Control in Slim SEO <= 4.6.2 versions. | ||||
| CVE-2026-54836 | 2 Wordpress, Ymc | 2 Wordpress, Ymc Filter | 2026-06-26 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5. | ||||
| CVE-2026-2815 | 1 Silicon Labs | 1 Sisdk | 2026-06-26 | N/A |
| Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys | ||||
| CVE-2026-4526 | 1 Silicon Labs | 1 Emberznet | 2026-06-26 | N/A |
| In EmberZNet v9.0.2 and earlier, malformed global ZCL messages can trigger out-of-bounds reads in framework parsing logic and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. | ||||
| CVE-2026-56122 | 1 Rickknowles | 1 Winstone Servlet Container | 2026-06-26 | 7.5 High |
| Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges. | ||||
| CVE-2026-47145 | 1 Silicon Labs | 1 Emberznet | 2026-06-26 | N/A |
| In EmberZNet v9.0.2 and earlier, malformed Color Control messages can lead to asserts that terminate the process. These messages must come from a device that has already joined the network. Only devices supporting the Color Control cluster may be impacted. | ||||