Export limit exceeded: 359386 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 359386 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 359386 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359386 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39598 | 2026-06-17 | 8 High | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2. | ||||
| CVE-2026-25470 | 2026-06-17 | 10 Critical | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47. | ||||
| CVE-2026-40722 | 2026-06-17 | 5.5 Medium | ||
| Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6. | ||||
| CVE-2026-24061 | 2 Debian, Gnu | 2 Debian Linux, Inetutils | 2026-06-17 | 9.8 Critical |
| telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. | ||||
| CVE-2026-22550 | 1 Elecom | 4 Wrc-x1500gs-b, Wrc-x1500gs-b Firmware, Wrc-x1500gsa-b and 1 more | 2026-06-17 | 8.8 High |
| OS command injection vulnerability exists in ELECOM wireless LAN products. A crafted request from a logged-in user may lead to an arbitrary OS command execution. | ||||
| CVE-2026-36576 | 1 Openlabs | 1 Docker-wkhtmltopdf-aas | 2026-06-17 | 9.8 Critical |
| An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request. | ||||
| CVE-2026-54804 | 2026-06-17 | 7.6 High | ||
| Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions. | ||||
| CVE-2026-54188 | 2026-06-17 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. | ||||
| CVE-2026-54185 | 2026-06-17 | 8.5 High | ||
| Subscriber SQL Injection in Cornerstone < 7.8.8 versions. | ||||
| CVE-2026-52705 | 2026-06-17 | 9 Critical | ||
| Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions. | ||||
| CVE-2026-49778 | 2026-06-17 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. | ||||
| CVE-2026-49076 | 2026-06-17 | 9.3 Critical | ||
| Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. | ||||
| CVE-2026-22340 | 2026-06-17 | 9.3 Critical | ||
| Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions. | ||||
| CVE-2025-58954 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions. | ||||
| CVE-2024-52488 | 2026-06-17 | 9.9 Critical | ||
| Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. | ||||
| CVE-2026-46173 | 1 Linux | 1 Linux Kernel | 2026-06-17 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler) | ||||
| CVE-2023-40132 | 1 Google | 1 Android | 2026-06-17 | 7.8 High |
| In setActualDefaultRingtoneUri of RingtoneManager.java, there is a possible way to bypass content providers read permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2023-40108 | 1 Google | 1 Android | 2026-06-17 | 5.5 Medium |
| In multiple locations, there is a possible way to access media content belonging to another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-41276 | 2 Waterfall, Waterfall-security | 3 Wf-500, Wf-500, Wf-500 Firmware | 2026-06-17 | 9.8 Critical |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | ||||
| CVE-2026-25089 | 1 Fortinet | 5 Fortisandbox, Fortisandbox Cloud, Fortisandbox Paas and 2 more | 2026-06-17 | 9.1 Critical |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests | ||||