Export limit exceeded: 340733 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 340733 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (340733 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22510 | 2 Ancorathemes, Wordpress | 2 Melody, Wordpress | 2026-03-26 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3. | ||||
| CVE-2026-22507 | 2 Ancorathemes, Wordpress | 2 Beelove, Wordpress | 2026-03-26 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6. | ||||
| CVE-2026-22505 | 2 Ancorathemes, Wordpress | 2 Morning Records, Wordpress | 2026-03-26 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2. | ||||
| CVE-2026-22500 | 2 Axiomthemes, Wordpress | 2 M2 | Construction And Tools Store, Wordpress | 2026-03-26 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2. | ||||
| CVE-2026-22485 | 2 Ruhul080, Wordpress | 2 My Album Gallery, Wordpress | 2026-03-26 | 6.5 Medium |
| Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4. | ||||
| CVE-2026-22480 | 2 Webtoffee, Wordpress | 2 Product Feed For Woocommerce, Wordpress | 2026-03-26 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3. | ||||
| CVE-2025-32988 | 2 Gnu, Redhat | 9 Gnutls, Ceph Storage, Discovery and 6 more | 2026-03-26 | 6.5 Medium |
| A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. | ||||
| CVE-2019-25630 | 1 Phreesoft | 1 Phreebookserp | 2026-03-26 | 8.8 High |
| PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution. | ||||
| CVE-2019-25578 | 2 Codnloc, Phptransformer | 2 Phptransformer, Phptransformer | 2026-03-26 | 8.2 High |
| phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries. | ||||
| CVE-2026-33246 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 6.4 Medium |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available. | ||||
| CVE-2026-33219 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 5.3 Medium |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment. | ||||
| CVE-2026-33218 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 7.5 High |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered. | ||||
| CVE-2026-33217 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 7.1 High |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available. | ||||
| CVE-2026-33216 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 8.6 High |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users. | ||||
| CVE-2026-29785 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 7.5 High |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port. | ||||
| CVE-2026-27889 | 2 Linuxfoundation, Nats | 2 Nats-server, Nats Server | 2026-03-26 | 7.5 High |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack. | ||||
| CVE-2026-20688 | 1 Apple | 5 Ios And Ipados, Ipados, Iphone Os and 2 more | 2026-03-26 | 9.3 Critical |
| A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to break out of its sandbox. | ||||
| CVE-2026-33161 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-26 | 4.3 Medium |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14. | ||||
| CVE-2026-33159 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-26 | 6.5 Medium |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14. | ||||
| CVE-2026-33158 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-26 | 6.5 Medium |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14. | ||||