Export limit exceeded: 340856 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (340856 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-30892 | 2 Containers, Crun Project | 2 Crun, Crun | 2026-03-27 | 0 Low |
| crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue. | ||||
| CVE-2026-30162 | 1 Auntvt | 1 Timo | 2026-03-27 | 6.1 Medium |
| Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field. | ||||
| CVE-2026-29933 | 1 Yzmcms | 1 Yzmcms | 2026-03-27 | N/A |
| A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header. | ||||
| CVE-2026-29934 | 1 Eddy8 | 1 Lightcms | 2026-03-27 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header. | ||||
| CVE-2026-29976 | 1 Zerbea | 1 Hcxpcapngtool | 2026-03-27 | 6.2 Medium |
| Buffer Overflow vulnerability in ZerBea hcxpcapngtool v. 7.0.1-43-g2ee308e allows a local attacker to obtain sensitive information via the getradiotapfield() function | ||||
| CVE-2026-29905 | 1 Getkirby | 1 Kirby | 2026-03-27 | 6.5 Medium |
| Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError. | ||||
| CVE-2026-29969 | 1 Cmoncrook | 1 Staffwiki | 2026-03-27 | N/A |
| A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request. | ||||
| CVE-2026-30457 | 1 Daylightstudio | 1 Fuel Cms | 2026-03-27 | N/A |
| An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | ||||
| CVE-2026-30458 | 1 Daylightstudio | 1 Fuel Cms | 2026-03-27 | N/A |
| An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | ||||
| CVE-2026-30463 | 1 Daylightstudio | 1 Fuel Cms | 2026-03-27 | N/A |
| Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. | ||||
| CVE-2026-32748 | 1 Squid-cache | 1 Squid | 2026-03-27 | 7.5 High |
| Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5. | ||||
| CVE-2026-33526 | 1 Squid-cache | 1 Squid | 2026-03-27 | 7.5 High |
| Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch. | ||||
| CVE-2026-33942 | 2 Saloon, Saloonphp | 2 Saloon, Saloon | 2026-03-27 | 9.8 Critical |
| Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually. | ||||
| CVE-2025-15101 | 1 Asus | 2 Asus Firmware, Router | 2026-03-27 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | ||||
| CVE-2014-125112 | 1 Miyagawa | 1 Plack::middleware::session::cookie | 2026-03-27 | 9.8 Critical |
| Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie. | ||||
| CVE-2025-15433 | 2 Sharedfilespro, Wordpress | 2 Shared Files, Wordpress | 2026-03-27 | 6.8 Medium |
| The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector | ||||
| CVE-2025-15488 | 2 Responsive, Wordpress | 2 Responsive Menu, Wordpress | 2026-03-27 | 6.5 Medium |
| The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode. | ||||
| CVE-2026-1430 | 2 Syedbalkhi, Wordpress | 2 Wp Lightbox 2, Wordpress | 2026-03-27 | 4.8 Medium |
| The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2026-1890 | 2 Leadconnector, Wordpress | 2 Leadconnector, Wordpress | 2026-03-27 | 5.3 Medium |
| The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data | ||||
| CVE-2026-4247 | 1 Freebsd | 1 Freebsd | 2026-03-27 | 7.5 High |
| When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively. | ||||