Export limit exceeded: 361498 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (361498 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63041 | 2026-06-26 | 5.4 Medium | ||
| Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. | ||||
| CVE-2026-54839 | 2026-06-26 | 7.5 High | ||
| Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions. | ||||
| CVE-2026-56030 | 2026-06-26 | 9.8 Critical | ||
| Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions. | ||||
| CVE-2026-57618 | 2026-06-26 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions. | ||||
| CVE-2026-57924 | 1 Jetbrains | 1 Youtrack | 2026-06-26 | 4.3 Medium |
| In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details | ||||
| CVE-2026-57925 | 1 Jetbrains | 1 Youtrack | 2026-06-26 | 4.3 Medium |
| In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags | ||||
| CVE-2026-57926 | 1 Jetbrains | 1 Youtrack | 2026-06-26 | 2.6 Low |
| In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack | ||||
| CVE-2026-56036 | 2026-06-26 | 9.3 Critical | ||
| Unauthenticated SQL Injection in 워드프레스 결제 심플페이 <= 5.5.6 versions. | ||||
| CVE-2026-45405 | 2026-06-26 | 9 Critical | ||
| Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2. | ||||
| CVE-2026-57316 | 2026-06-26 | 6.5 Medium | ||
| Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions. | ||||
| CVE-2026-57323 | 2026-06-26 | 5.8 Medium | ||
| Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions. | ||||
| CVE-2026-57921 | 1 Jetbrains | 1 Youtrack | 2026-06-26 | 4.3 Medium |
| In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint | ||||
| CVE-2026-57922 | 1 Jetbrains | 1 Youtrack | 2026-06-26 | 3.1 Low |
| In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible | ||||
| CVE-2026-53914 | 1 Jetbrains | 1 Kotlin | 2026-06-26 | 6.7 Medium |
| In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata | ||||
| CVE-2026-56876 | 2026-06-26 | 8.1 High | ||
| extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files. | ||||
| CVE-2026-57644 | 2026-06-26 | 8.5 High | ||
| Contributor SQL Injection in Restaurant Menu by MotoPress <= 2.4.10 versions. | ||||
| CVE-2026-57656 | 2026-06-26 | 5.9 Medium | ||
| Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions. | ||||
| CVE-2026-10097 | 1 Wolfssl | 1 Wolfssl | 2026-06-26 | N/A |
| wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts that differ from the expected re-encryption solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security. An attacker able to submit chosen ciphertexts to a decapsulation oracle that uses a static ML-KEM-1024 key, and to observe whether the genuine shared secret or the implicit-rejection secret was produced, can use this as a plaintext-checking oracle to recover the private key. A proof of concept recovered a full ML-KEM-1024 private key with approximately 98% success using roughly 350 chosen ciphertexts. The flaw is a deterministic logic error and does not rely on timing measurements. | ||||
| CVE-2026-57527 | 2026-06-26 | 8.8 High | ||
| Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel. | ||||
| CVE-2026-11702 | 2026-06-26 | 7.5 High | ||
| Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes. | ||||