Export limit exceeded: 340783 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 340783 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (340783 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33149 | 2026-03-26 | 8.1 High | ||
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available. | ||||
| CVE-2026-33014 | 2026-03-26 | 5.2 Medium | ||
| EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a remote stop. Version 2026.02.0 contains a patch. | ||||
| CVE-2026-32524 | 2 Jordy Meow, Wordpress | 2 Photo Engine, Wordpress | 2026-03-26 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. | ||||
| CVE-2026-32522 | 2 Vanquish, Wordpress | 2 Woocommerce Support Ticket System, Wordpress | 2026-03-26 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5. | ||||
| CVE-2026-32520 | 2 Andrew Munro / Affiliatewp, Wordpress | 2 Rewardswp, Wordpress | 2026-03-26 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4. | ||||
| CVE-2026-32516 | 2 Kamleshyadav, Wordpress | 2 Miraculous Core Plugin, Wordpress | 2026-03-26 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2. | ||||
| CVE-2026-32504 | 2 Creativews, Wordpress | 2 Vintwood, Wordpress | 2026-03-26 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8. | ||||
| CVE-2026-32501 | 2 Wordpress, Wp-configurator | 2 Wordpress, Wp Configurator Pro | 2026-03-26 | 7.1 High |
| Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9. | ||||
| CVE-2026-32500 | 2 Creativews, Wordpress | 2 Metamax, Wordpress | 2026-03-26 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4. | ||||
| CVE-2026-32495 | 2 Linksoftwarellc, Wordpress | 2 Wp Terms Popup, Wordpress | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0. | ||||
| CVE-2026-32485 | 2 Wedevs, Wordpress | 2 Wp User Frontend, Wordpress | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8. | ||||
| CVE-2026-32441 | 2 Webtoffee, Wordpress | 2 Wordpress Comments Import And Export, Wordpress | 2026-03-26 | 7.7 High |
| Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9. | ||||
| CVE-2026-30463 | 2026-03-26 | N/A | ||
| Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. | ||||
| CVE-2026-30458 | 2026-03-26 | N/A | ||
| An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | ||||
| CVE-2026-30457 | 2026-03-26 | N/A | ||
| An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | ||||
| CVE-2026-30162 | 2026-03-26 | 6.1 Medium | ||
| Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field. | ||||
| CVE-2026-29969 | 2026-03-26 | N/A | ||
| A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request. | ||||
| CVE-2026-29934 | 2026-03-26 | 6.1 Medium | ||
| A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header. | ||||
| CVE-2026-29905 | 2026-03-26 | 6.5 Medium | ||
| Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError. | ||||
| CVE-2026-29055 | 2026-03-26 | 5.3 Medium | ||
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer TODO comment in the source code acknowledges this as a known issue. As a result, when users upload recipe photos in WebP format (the default format for modern smartphone cameras), their sensitive EXIF data — including GPS coordinates, camera model, timestamps, and software information — is stored and served to all users who can view the recipe. Version 2.6.0 fixes the issue. | ||||