Export limit exceeded: 364053 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 14550 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 364053 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364053 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-20070 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 6.4 Medium |
| WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers. | ||||
| CVE-2016-20068 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 8.2 High |
| WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information. | ||||
| CVE-2026-52721 | 2 Gstreamer Project, Redhat | 2 Gstreamer Plugin, Enterprise Linux | 2026-06-26 | 5.3 Medium |
| Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure. | ||||
| CVE-2026-34891 | 2 Hitpay, Idpay | 2 Payment Gateway For Woocommerce, Payment Gateway For Woocommerce | 2026-06-26 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions. | ||||
| CVE-2026-39470 | 2 Brainstorm Force, Wordpress | 2 Woocommerce Cart Abandonment Recovery, Wordpress | 2026-06-26 | 7.2 High |
| Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | ||||
| CVE-2026-39478 | 2 Eli Scheetz, Wordpress | 2 Anti-malware Security And Brute-force Firewall, Wordpress | 2026-06-26 | 8.8 High |
| Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | ||||
| CVE-2026-39502 | 2 10web, Wordpress | 2 Form Maker, Wordpress | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||||
| CVE-2026-39533 | 2 Wordpress, Wptasty | 2 Wordpress, Awp Classifieds | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. | ||||
| CVE-2026-49055 | 2 Glen Don Mongaya, Wordpress | 2 Drag And Drop Multiple File Upload – Contact Form 7, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions. | ||||
| CVE-2026-49061 | 2 Wordpress, Wpclever | 2 Wordpress, Wpc Product Options For Woocommerce | 2026-06-26 | 7.5 High |
| Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions. | ||||
| CVE-2026-52699 | 2 E4jvikwp, Wordpress | 2 Vikrentcar, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions. | ||||
| CVE-2026-6964 | 2 J 3rk, Wordpress | 2 Video Conferencing With Zoom, Wordpress | 2026-06-26 | 5.3 Medium |
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation. | ||||
| CVE-2026-10831 | 1 Moxa | 2 Cn2600 Series, Nport 5600 Series | 2026-06-26 | N/A |
| A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network access can send crafted requests to disrupt serial communication for an active user session. | ||||
| CVE-2025-13036 | 1 Rockwellautomation | 1 Factorytalk Historian Se | 2026-06-26 | N/A |
| An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an attacker may obtain a valid authentication token. | ||||
| CVE-2025-14272 | 1 Rockwellautomation | 1 Factorytalk Analytics Pavilionx | 2026-06-26 | N/A |
| A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions. | ||||
| CVE-2026-0646 | 1 Rockwellautomation | 1 Flex I/o Ethernet/ip Adapter | 2026-06-26 | N/A |
| A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover. | ||||
| CVE-2026-0647 | 1 Rockwellautomation | 1 Flex I/o Ethernet/ip Adapter | 2026-06-26 | N/A |
| An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of the device’s embedded web server’s availability. | ||||
| CVE-2026-44932 | 1 Suse | 1 Wicked | 2026-06-26 | 8.8 High |
| Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine. | ||||
| CVE-2026-10649 | 2 Clusterlabs, Redhat | 4 Pacemaker, Enterprise Linux, Openshift and 1 more | 2026-06-26 | 8.6 High |
| A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing. | ||||
| CVE-2024-38487 | 1 Dell | 1 Emc Vxrail Appliance | 2026-06-26 | 7 High |
| api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions. | ||||