Export limit exceeded: 361858 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361858 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-31978 | 1 Motioneye Project | 1 Motioneye | 2026-06-25 | 6.5 Medium |
| motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0. | ||||
| CVE-2026-52805 | 1 Gogs | 1 Gogs | 2026-06-25 | 8.7 High |
| Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to a blocked internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository. This vulnerability is fixed in 0.14.3. | ||||
| CVE-2026-56042 | 2 Algolplus, Wordpress | 2 Advanced Order Export For Woocommerce, Wordpress | 2026-06-25 | 7.1 High |
| Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions. | ||||
| CVE-2026-56049 | 2 Postsnippets, Wordpress | 2 Post Snippets, Wordpress | 2026-06-25 | 8.5 High |
| Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions. | ||||
| CVE-2026-56054 | 2 Ahmad, Wordpress | 2 Js Help Desk, Wordpress | 2026-06-25 | 7.7 High |
| Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions. | ||||
| CVE-2026-41120 | 1 Dell | 1 Wyse Management Suite | 2026-06-25 | 9.8 Critical |
| Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution. | ||||
| CVE-2026-46732 | 1 Dell | 1 Display And Peripheral Manager | 2026-06-25 | 6.7 Medium |
| Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain a Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | ||||
| CVE-2026-46734 | 1 Dell | 1 Display And Peripheral Manager | 2026-06-25 | 7.3 High |
| Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | ||||
| CVE-2026-57587 | 1 Tenable | 1 Nessus | 2026-06-25 | 5.3 Medium |
| A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data. | ||||
| CVE-2026-57588 | 1 Tenable | 1 Nessus | 2026-06-25 | 3.3 Low |
| A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data. | ||||
| CVE-2026-46735 | 1 Dell | 1 Display And Peripheral Manager | 2026-06-25 | 7.8 High |
| Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | ||||
| CVE-2025-2586 | 1 Redhat | 1 Openshift Lightspeed | 2026-06-25 | 7.5 High |
| A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability. | ||||
| CVE-2026-13225 | 1 Pretix | 1 Pretix | 2026-06-25 | N/A |
| Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order. | ||||
| CVE-2026-57535 | 1 Pretix | 1 Pretix | 2026-06-25 | N/A |
| Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network. | ||||
| CVE-2026-57533 | 1 Pretix | 1 Pretix | 2026-06-25 | N/A |
| Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes. | ||||
| CVE-2026-12992 | 1 Redhat | 1 Apicurio Registry | 2026-06-25 | 7.4 High |
| A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery). | ||||
| CVE-2026-53218 | 1 Linux | 1 Linux Kernel | 2026-06-25 | 7.0 High |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set. | ||||
| CVE-2026-53269 | 1 Linux | 1 Linux Kernel | 2026-06-25 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can race each other. Introduce a mutex to serialize the refcount control blocks access from both frontends. While a per namespace mutex might be more efficient, it is not needed for target/expression like SYNPROXY. | ||||
| CVE-2026-40210 | 1 Powerdns | 1 Dnsdist | 2026-06-25 | 4.8 Medium |
| An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash. | ||||
| CVE-2026-42004 | 1 Powerdns | 1 Dnsdist | 2026-06-25 | 3.7 Low |
| An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter. | ||||