Export limit exceeded: 361191 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361191 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-50872 | 1 Fossar | 1 Selfoss | 2026-06-26 | 9.8 Critical |
| An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request. | ||||
| CVE-2026-50873 | 1 Flatnotes | 1 Flatnotes | 2026-06-26 | 9.8 Critical |
| An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file. | ||||
| CVE-2026-50875 | 1 Deck9 | 1 Deck9 Input | 2026-06-26 | 8.1 High |
| Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request. | ||||
| CVE-2026-50876 | 1 Deck9 | 1 Deck9 Input | 2026-06-26 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2026-50879 | 1 Linx-server | 1 Linx-server | 2026-06-26 | 7.5 High |
| An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2026-50880 | 1 Youtransfer | 1 Youtransfer | 2026-06-26 | 9.8 Critical |
| An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request. | ||||
| CVE-2026-50882 | 1 Anna-is-cute | 1 Paste | 2026-06-26 | 7.5 High |
| An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2026-50883 | 1 Matze | 1 Wastebin | 2026-06-26 | 9.6 Critical |
| An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload. | ||||
| CVE-2026-50884 | 1 Statping-ng | 1 Statping-ng | 2026-06-26 | 8.8 High |
| Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components. | ||||
| CVE-2026-50886 | 1 Firefly | 1 Project Firefly Iii | 2026-06-26 | 9.1 Critical |
| Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request. | ||||
| CVE-2026-50887 | 1 Shlink | 1 Shlink | 2026-06-26 | 9.1 Critical |
| A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl. | ||||
| CVE-2026-50889 | 1 Lldap | 1 Lldap | 2026-06-26 | 7.5 High |
| An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header. | ||||
| CVE-2016-20066 | 2 Dwbooster, Wordpress | 2 Cp Polls, Wordpress | 2026-06-26 | 7.2 High |
| WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content. | ||||
| CVE-2016-20067 | 2 Dwbooster, Wordpress | 2 Cp Polls, Wordpress | 2026-06-26 | 4.3 Medium |
| WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in. | ||||
| CVE-2016-20069 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 8.2 High |
| WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information. | ||||
| CVE-2016-20070 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 6.4 Medium |
| WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers. | ||||
| CVE-2016-20068 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 8.2 High |
| WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information. | ||||
| CVE-2026-52719 | 2 Gstreamer Project, Redhat | 2 Gstreamer Plugin, Enterprise Linux | 2026-06-26 | 7.1 High |
| An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure. | ||||
| CVE-2026-53705 | 2 Gstreamer Project, Redhat | 2 Gstreamer Plugin, Enterprise Linux | 2026-06-26 | 7.6 High |
| A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file. | ||||
| CVE-2026-52721 | 2 Gstreamer Project, Redhat | 2 Gstreamer Plugin, Enterprise Linux | 2026-06-26 | 5.3 Medium |
| Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure. | ||||