Search

Found 852 results in 73ms · Match type: Filtered list

CVE	Severity	CVSS	Risk	OS	Vendor	Published	Description
CVE-2026-44611	medium	5.4	5.4		macgregor	6d ago	Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks.
CVE-2026-44518	medium	5.3	5.3	sles	openquantumsafe	6d ago	liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT …
CVE-2026-42951	medium	5.4	5.4		macgregor	6d ago	An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes.
CVE-2026-40425	medium	4.9	4.9		macgregor	6d ago	The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
CVE-2026-45352	medium	5.3	5.3	debian sles	yhirose	6d ago	cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process cras…
CVE-2026-45324	low	3.3	3.3			6d ago	Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a double free in librz/core/cmd/cmd_search.c:byte_pattern_search() due wrong pointer ownership declared. This vul…
CVE-2026-45613	low	3.3	3.3			6d ago	Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a heap-buffer-overflow in librz/bin/format/omf/omf.c. This vulnerability is fixed by commit e6d0937c8a083e23ed76c…
CVE-2026-38739	unknown	—	—			6d ago	ezsystems/ezpublish-legacy has a SQL injection in dfscleanup
CVE-2026-46690	unknown	—	—			6d ago	unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race
CVE-2026-47266	unknown	—	—			6d ago	formie's unauthenticated front-end submission editing can overwrite existing submissions
CVE-2026-34127	medium	4.8	4.8		tp-link	6d ago	A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration paramete…
CVE-2026-42500	medium	5.3	5.3	debian		6d ago	Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
CVE-2026-4387	unknown	—	—			6d ago	StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a…
CVE-2026-47190	unknown	—	—			6d ago	IPAM controller service account granted unnecessary full access to Secrets
CVE-2026-47141	unknown	—	—			6d ago	NodeVM observability builtins leak host process and HTTP request data
CVE-2026-45668	unknown	—	—			6d ago	Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled…
CVE-2026-43917	unknown	—	—			6d ago	Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scop…
CVE-2026-10070	medium	4.7	4.7			6d ago	A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results …
CVE-2026-47139	unknown	—	—			6d ago	NodeVM network builtin exclusions bypass via internal _http_client and _http_server
CVE-2026-47140	unknown	—	—			6d ago	NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
CVE-2026-47210	unknown	—	—			6d ago	vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
CVE-2026-47137	unknown	—	—			6d ago	vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
CVE-2026-47209	unknown	—	—			6d ago	vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
CVE-2026-47135	unknown	—	—			6d ago	vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
CVE-2026-47208	unknown	—	—			6d ago	vm2 is Vulnerable to Sandbox Breakout Through Promise Species
CVE-2026-47131	unknown	—	—			6d ago	vm2 has a Sandbox Escape issue
CVE-2026-47200	unknown	—	—			6d ago	Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
CVE-2026-45742	unknown	—	—			6d ago	Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
CVE-2026-45741	unknown	—	—			6d ago	Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
CVE-2026-44829	unknown	—	—			6d ago	Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename
CVE-2026-9194	unknown	—	—			6d ago	Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accid…
CVE-2026-39229	medium	6.5	6.5			6d ago	Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective comp…
CVE-2026-36324	medium	6.1	6.1			6d ago	SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php.
CVE-2026-35673	medium	6.5	6.5		openclaw	6d ago	OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp…
CVE-2026-34507	medium	5.4	5.4		openclaw	6d ago	OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin comma…
CVE-2026-33386	unknown	—	—			6d ago	QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the…
CVE-2026-33384	unknown	—	—			6d ago	QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID f…
CVE-2026-32906	medium	4.3	4.3		openclaw	6d ago	OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attacke…
CVE-2026-10101	medium	6.3	6.3			6d ago	ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterR…
CVE-2026-10099	medium	4.0	4.0			6d ago	XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending u…
CVE-2018-25397	medium	5.3	5.3			6d ago	PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated …
CVE-2018-25393	medium	6.5	6.5			6d ago	Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can se…
CVE-2018-25387	medium	5.3	5.3			6d ago	HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft…
CVE-2018-25384	medium	5.4	5.4			6d ago	Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can pos…
CVE-2026-44495	unknown	—	—			6d ago	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
CVE-2026-44494	unknown	—	—			6d ago	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
CVE-2026-44492	unknown	—	—			6d ago	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
CVE-2026-44490	unknown	—	—			6d ago	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
CVE-2026-44489	unknown	—	—			6d ago	Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
CVE-2026-41237	unknown	—	—			6d ago	Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0`…
CVE-2026-41235	unknown	—	—			6d ago	Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However…
CVE-2026-49325	medium	4.6	4.6			6d ago	Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Modul…
CVE-2026-49318	low	2.4	2.4			6d ago	Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…
CVE-2026-49317	low	2.4	2.4			6d ago	Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…
CVE-2026-49316	medium	4.6	4.6			6d ago	Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown b…
CVE-2026-47696	medium	4.3	4.3		wwbn	6d ago	WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
CVE-2026-47694	medium	5.4	5.4		wwbn	6d ago	WWBN AVideo: Stored XSS via unescaped Gallery category description
CVE-2026-40510	medium	6.8	6.8	sles windows	opensc_project	6d ago	OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trig…
CVE-2026-10075	medium	5.3	5.3			6d ago	DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulner…
CVE-2026-10074	medium	4.9	4.9			6d ago	DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.
CVE-2026-9509	unknown	—	—			6d ago	An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST reques…
CVE-2026-9508	unknown	—	—			6d ago	Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path w…
CVE-2026-8326	unknown	—	—			6d ago	Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component …
CVE-2026-49324	medium	4.6	4.6			6d ago	Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-veh…
CVE-2026-49323	medium	4.3	4.3			6d ago	Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with…
CVE-2026-45611	unknown	—	—			6d ago	Rejected reason: Further research determined the issue is not a vulnerability.
CVE-2026-45551	unknown	—	—			6d ago	Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings…
CVE-2026-45043	unknown	—	—			6d ago	RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create se…
CVE-2026-9811	medium	5.4	5.4			6d ago	A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application f…
CVE-2026-9557	medium	6.4	6.4			6d ago	A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests f…
CVE-2026-49201	unknown	—	—			6d ago	The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers…
CVE-2026-10078	low	2.7	2.7			6d ago	A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL que…
CVE-2025-12714	medium	5.3	5.3			6d ago	The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in al…
CVE-2026-9189	medium	5.3	5.3			6d ago	The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Althou…
CVE-2026-49200	unknown	—	—			6d ago	The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s…
CVE-2026-49198	unknown	—	—			6d ago	Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
CVE-2026-49197	unknown	—	—			6d ago	Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
CVE-2026-49196	unknown	—	—			6d ago	The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.
CVE-2026-49195	unknown	—	—			6d ago	Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.
CVE-2026-10058	medium	4.8	4.8			6d ago	ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed …
CVE-2026-10057	medium	4.8	4.8			6d ago	ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed …
CVE-2026-10052	medium	4.1	4.1			6d ago	A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endp…
CVE-2026-10039	medium	4.9	4.9			6d ago	The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on th…
CVE-2026-9243	medium	6.4	6.4			7d ago	The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including…
CVE-2026-49322	medium	4.3	4.3			7d ago	Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to…
CVE-2026-49216	unknown	—	—			7d ago	symfony/ux-autocomplete XSS via unescaped AJAX response data
CVE-2026-49215	unknown	—	—			7d ago	symfony/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted
CVE-2026-49212	unknown	—	—			7d ago	symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding
CVE-2026-49211	unknown	—	—			7d ago	symfony/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil
CVE-2026-49210	unknown	—	—			7d ago	symfony/ux-live-component XSS via attacker-controlled child component tag
CVE-2026-49209	unknown	—	—			7d ago	symfony/ux-live-component Denial of service via unbounded batch action requests
CVE-2026-49208	unknown	—	—			7d ago	symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
CVE-2026-9714	medium	6.4	6.4			7d ago	The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to i…
CVE-2026-9493	medium	6.5	6.5			7d ago	Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query fun…
CVE-2026-6324	medium	4.8	4.8	sles debian		7d ago	A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This v…
CVE-2026-6275	medium	6.4	6.4			7d ago	The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on…
CVE-2025-14042	medium	6.4	6.4			7d ago	The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and …
CVE-2026-2128	medium	5.3	5.3			7d ago	The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wo…
CVE-2026-8995	medium	4.3	4.3			7d ago	The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient acc…
CVE-2026-7430	medium	4.4	4.4			7d ago	The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet conte…