Export limit exceeded: 360294 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 360294 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (360294 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-47384 | 1 Nocodb | 1 Nocodb | 2026-06-24 | N/A |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1. | ||||
| CVE-2026-9172 | 2026-06-24 | 5.3 Medium | ||
| The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID. | ||||
| CVE-2026-46554 | 1 Nocodb | 1 Nocodb | 2026-06-24 | N/A |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4. | ||||
| CVE-2026-8688 | 2026-06-24 | 4.3 Medium | ||
| The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to duplicate, copy, move, or publish nav_menu_item posts via wp_insert_post(), modifying the site's navigation menus without authorization. | ||||
| CVE-2026-47380 | 1 Nocodb | 1 Nocodb | 2026-06-24 | N/A |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1. | ||||
| CVE-2026-34908 | 1 Ubiquiti | 31 Efg, Envr, Envr-core and 28 more | 2026-06-24 | 10 Critical |
| A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. | ||||
| CVE-2026-12094 | 2026-06-24 | 5.3 Medium | ||
| The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs. | ||||
| CVE-2026-46548 | 1 Nocodb | 1 Nocodb | 2026-06-24 | 4.3 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1. | ||||
| CVE-2026-13006 | 2026-06-24 | N/A | ||
| ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. | ||||
| CVE-2026-10531 | 2026-06-24 | 5.4 Medium | ||
| The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2026-54515 | 1 Fasterxml | 1 Jackson-databind | 2026-06-24 | 5.3 Medium |
| jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4. | ||||
| CVE-2026-56052 | 2 Funnelkit, Wordpress | 2 Funnel Builder By Funnelkit, Wordpress | 2026-06-24 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection. This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5. | ||||
| CVE-2026-54588 | 2026-06-24 | 9.6 Critical | ||
| Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue. | ||||
| CVE-2026-13140 | 2026-06-24 | N/A | ||
| Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier. This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e. | ||||
| CVE-2026-9612 | 2026-06-24 | 5.3 Medium | ||
| The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check. | ||||
| CVE-2026-10092 | 2026-06-24 | 7.2 High | ||
| The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database. | ||||
| CVE-2026-56761 | 1 Hono | 1 Hono | 2026-06-24 | 4.3 Medium |
| hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements. | ||||
| CVE-2026-56337 | 2026-06-24 | 5.3 Medium | ||
| Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters. Remote attackers can exploit this SECURITY DEFINER function to determine whether specific app_ids exist in the public.apps table, enabling cross-tenant app enumeration and privacy violations. | ||||
| CVE-2026-9619 | 2026-06-24 | 4.3 Medium | ||
| The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger outbound scraping of external websites and write scraped review data into the wp_dp_reviews database table, as well as send feature-request emails from the site administrator's email address. | ||||
| CVE-2026-56262 | 2026-06-24 | 6.5 Medium | ||
| Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication, causing service disruption. | ||||