Export limit exceeded: 364798 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364798 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-11915 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*. | ||||
| CVE-2026-15089 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*. | ||||
| CVE-2026-15087 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*. | ||||
| CVE-2026-15086 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*. | ||||
| CVE-2026-15085 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3. | ||||
| CVE-2026-15084 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17. | ||||
| CVE-2026-15082 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1. | ||||
| CVE-2026-15081 | 2026-07-10 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0. | ||||
| CVE-2026-15080 | 2026-07-10 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4. | ||||
| CVE-2026-58591 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0. | ||||
| CVE-2026-58590 | 2026-07-10 | N/A | ||
| Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-58589 | 2026-07-10 | N/A | ||
| Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-13244 | 2026-07-10 | N/A | ||
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0. | ||||
| CVE-2026-52200 | 2026-07-10 | 9.8 Critical | ||
| An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk | ||||
| CVE-2026-55462 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 4.3 Medium |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55515 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 5 Medium |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset, allowing a reports user in one company to delete pending checkout acceptance records for another company. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55466 | 1 Grokability | 1 Snipe-it | 2026-07-10 | N/A |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer’s browser. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55452 | 1 Grokability | 1 Snipe-it | 2026-07-10 | N/A |
| Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0. | ||||
| CVE-2026-55479 | 1 Grokability | 1 Snipe-it | 2026-07-10 | N/A |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55475 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 5.7 Medium |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1. | ||||