Export limit exceeded: 361701 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361701 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13569 | 1 Eyoucms | 1 Eyoucms | 2026-06-29 | 4.7 Medium |
| A security vulnerability has been detected in weng-xianhu EyouCMS up to 1.7.1. This issue affects some unknown processing of the file /index.php of the component API. Such manipulation of the argument click_like leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-56124 | 2026-06-29 | 7.5 High | ||
| phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. | ||||
| CVE-2026-57330 | 2026-06-29 | 6.5 Medium | ||
| Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions. | ||||
| CVE-2026-57338 | 2026-06-29 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions. | ||||
| CVE-2026-56061 | 2 Wordpress, Wp Swings | 2 Wordpress, Subscriptions For Woocommerce | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions. | ||||
| CVE-2026-57332 | 2026-06-29 | 7.1 High | ||
| Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions. | ||||
| CVE-2026-53550 | 1 Nodeca | 1 Js-yaml | 2026-06-29 | 5.3 Medium |
| js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. | ||||
| CVE-2026-57326 | 2026-06-29 | 6.5 Medium | ||
| Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions. | ||||
| CVE-2026-13571 | 1 Sourcecodester | 1 Simple Food Ordering System | 2026-06-29 | 5.3 Medium |
| A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lead to business logic errors. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-57314 | 2 Surecart, Wordpress | 2 Surecart, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions. | ||||
| CVE-2026-57321 | 2026-06-29 | 7.1 High | ||
| Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions. | ||||
| CVE-2025-29635 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2026-06-29 | 7.2 High |
| A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution. | ||||
| CVE-2026-35273 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2026-06-29 | 9.8 Critical |
| Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2026-13545 | 1 D-link | 1 Dcs-935l | 2026-06-29 | 8.8 High |
| A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-11597 | 2026-06-29 | 6.4 Medium | ||
| The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-58052 | 1 7-zip | 1 7-zip | 2026-06-29 | 3.3 Low |
| 7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content. | ||||
| CVE-2026-58058 | 1 Nmap | 1 Nmap | 2026-06-29 | 6.5 Medium |
| Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans. | ||||
| CVE-2026-13487 | 1 Sourcecodester | 1 Class And Exam Timetabling System | 2026-06-29 | 7.3 High |
| A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive.php. The manipulation of the argument sy leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-13495 | 1 Itsourcecode | 1 Hospital Management System | 2026-06-29 | 4.7 Medium |
| A vulnerability has been found in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminprofile.php. The manipulation of the argument loginid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-13501 | 1 Antlr | 1 Antlr4 | 2026-06-29 | 5.3 Medium |
| A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||