Export limit exceeded: 350686 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350686 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8244 | 1 Industrial Application Software Ias | 1 Canias Erp | 2026-05-11 | 5.3 Medium |
| A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-50948 | 2 Motopress, Wordpress | 2 Hotel Booking Lite, Wordpress | 2026-05-11 | 6.4 Medium |
| Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | ||||
| CVE-2022-50958 | 3 Automattic, Jetpack, Wordpress | 3 Jetpack Boost, Jetpack, Wordpress | 2026-05-11 | 6.1 Medium |
| WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2022-50964 | 1 Ubidauction | 1 Ubidauction | 2026-05-11 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2026-44407 | 1 Zte | 1 Zxcloud Irai | 2026-05-11 | 4.7 Medium |
| A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | ||||
| CVE-2026-41644 | 1 Monetr | 1 Monetr | 2026-05-11 | 7.1 High |
| monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5. | ||||
| CVE-2026-6805 | 2 Ercom, Thalesgroup | 2 Cryptobox, Ercom Cryptobox | 2026-05-11 | 7.5 High |
| Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | ||||
| CVE-2022-50943 | 1 Moodle | 1 Moodle | 2026-05-11 | 6.1 Medium |
| Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | ||||
| CVE-2022-50959 | 2 Wordpress, Wpdevart | 2 Wordpress, Contact Form Builder | 2026-05-11 | 6.1 Medium |
| WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2022-50965 | 1 Ubidauction | 1 Ubidauction | 2026-05-11 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2026-8235 | 1 8421bit | 1 Miniclaw | 2026-05-11 | 5.5 Medium |
| A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2026-45182 | 1 Grapheneos | 1 Grapheneos | 2026-05-11 | 2.2 Low |
| GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled. | ||||
| CVE-2021-47907 | 1 Rocketsoft | 1 Rocket Lms | 2026-05-11 | 6.4 Medium |
| Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks. | ||||
| CVE-2021-47926 | 2 Form2email, Wordpress | 2 Contact Form To Email, Wordpress | 2026-05-11 | 6.4 Medium |
| Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | ||||
| CVE-2026-0966 | 2 Libssh, Redhat | 6 Libssh, Enterprise Linux, Hardened Images and 3 more | 2026-05-11 | 8.2 High |
| A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process. | ||||
| CVE-2026-8142 | 1 Cert | 1 Vince | 2026-05-11 | 6.5 Medium |
| VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates. | ||||
| CVE-2021-47932 | 2 Thecartpress, Wordpress | 2 Thecartpress, Wordpress | 2026-05-11 | 9.8 Critical |
| WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | ||||
| CVE-2026-8098 | 1 Code-projects | 1 Feedback System | 2026-05-11 | 7.3 High |
| A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-8114 | 1 Jeecg | 1 Jeecgboot | 2026-05-11 | 6.3 Medium |
| A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved." | ||||
| CVE-2024-27686 | 1 Mikrotik | 1 Routeros | 2026-05-11 | 7.5 High |
| Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. | ||||