Export limit exceeded: 349957 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349957 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13480 | 2 Fudo Security, Fudosecurity | 2 Fudo Enterprise, Fudo Enterprise | 2026-05-11 | 6.5 Medium |
| Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3 | ||||
| CVE-2026-8244 | 1 Industrial Application Software Ias | 1 Canias Erp | 2026-05-11 | 5.3 Medium |
| A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-50948 | 2 Motopress, Wordpress | 2 Hotel Booking Lite, Wordpress | 2026-05-11 | 6.4 Medium |
| Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | ||||
| CVE-2022-50958 | 3 Automattic, Jetpack, Wordpress | 3 Jetpack Boost, Jetpack, Wordpress | 2026-05-11 | 6.1 Medium |
| WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2026-45005 | 1 Openclaw | 1 Openclaw | 2026-05-11 | 6 Medium |
| OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart. | ||||
| CVE-2026-44999 | 1 Openclaw | 1 Openclaw | 2026-05-11 | 5.3 Medium |
| OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events. | ||||
| CVE-2026-44993 | 1 Openclaw | 1 Openclaw | 2026-05-11 | 5.4 Medium |
| OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies. | ||||
| CVE-2022-50964 | 1 Ubidauction | 1 Ubidauction | 2026-05-11 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2026-44407 | 1 Zte | 1 Zxcloud Irai | 2026-05-11 | 4.7 Medium |
| A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | ||||
| CVE-2026-41644 | 1 Monetr | 1 Monetr | 2026-05-11 | 7.1 High |
| monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5. | ||||
| CVE-2026-6805 | 2 Ercom, Thalesgroup | 2 Cryptobox, Ercom Cryptobox | 2026-05-11 | 7.5 High |
| Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | ||||
| CVE-2022-50943 | 1 Moodle | 1 Moodle | 2026-05-11 | 6.1 Medium |
| Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | ||||
| CVE-2022-50959 | 2 Wordpress, Wpdevart | 2 Wordpress, Contact Form Builder | 2026-05-11 | 6.1 Medium |
| WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2022-50965 | 1 Ubidauction | 1 Ubidauction | 2026-05-11 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2026-8235 | 1 8421bit | 1 Miniclaw | 2026-05-11 | 5.5 Medium |
| A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2021-47907 | 1 Rocketsoft | 1 Rocket Lms | 2026-05-11 | 6.4 Medium |
| Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks. | ||||
| CVE-2021-47926 | 2 Form2email, Wordpress | 2 Contact Form To Email, Wordpress | 2026-05-11 | 6.4 Medium |
| Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | ||||
| CVE-2026-0966 | 2 Libssh, Redhat | 6 Libssh, Enterprise Linux, Hardened Images and 3 more | 2026-05-11 | 8.2 High |
| A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process. | ||||
| CVE-2026-39836 | 1 Go Standard Library | 1 Net | 2026-05-11 | 7.5 High |
| The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | ||||
| CVE-2026-39825 | 1 Go Standard Library | 1 Net/http | 2026-05-11 | 5.3 Medium |
| ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. | ||||