Export limit exceeded: 350686 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350686 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61306 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_coveragealerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61307 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61308 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61309 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_departments.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61310 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61311 | 1 Docuform | 1 Docuform | 2026-05-12 | 7.3 High |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_alerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61312 | 1 Docuform | 1 Docuform | 2026-05-12 | 7.3 High |
| A reflected cross-site scripted (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-61314 | 1 Docuform | 1 Docuform | 2026-05-12 | 7.3 High |
| A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_orderopt.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value. | ||||
| CVE-2025-65415 | 1 Docuform | 1 Docuform | 2026-05-12 | 5.4 Medium |
| docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application. | ||||
| CVE-2025-65416 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.3 Medium |
| docuFORM Managed Print Service Client 11.11c is vulnerable to arbitrary file upload via pmupdate.php. | ||||
| CVE-2025-65417 | 1 Docuform | 1 Docuform | 2026-05-12 | 6.1 Medium |
| docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application. | ||||
| CVE-2026-36906 | 1 Iioter | 1 Iotgateway | 2026-05-12 | 6.1 Medium |
| Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function | ||||
| CVE-2026-38568 | 1 Stratonwebdesigners | 1 Hireflow | 2026-05-12 | 8.1 High |
| HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system. | ||||
| CVE-2026-38569 | 1 Stratonwebdesigners | 1 Hireflow | 2026-05-12 | 5.4 Medium |
| HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add. | ||||
| CVE-2026-41951 | 1 Growi | 1 Growi | 2026-05-12 | N/A |
| Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI. | ||||
| CVE-2025-10470 | 1 Wso2 | 3 Identity Server, Wso2 Carbon Magiclink Authenticator Module, Wso2 Identity Server | 2026-05-12 | 8.6 High |
| The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger. | ||||
| CVE-2026-3319 | 1 E-commerce | 1 Cradle | 2026-05-12 | N/A |
| Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code. | ||||
| CVE-2026-3320 | 1 E-commerce | 1 Cradle | 2026-05-12 | N/A |
| Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code. | ||||
| CVE-2026-42842 | 1 Getgrav | 2 Grav, Grav-plugin-form | 2026-05-12 | 5.4 Medium |
| The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0. | ||||
| CVE-2026-42843 | 1 Getgrav | 1 Grav-plugin-api | 2026-05-12 | 8.8 High |
| Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15. | ||||