Export limit exceeded: 337999 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337999 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2364 | 1 Codesys | 1 Codesys Installer | 2026-03-11 | 7.3 High |
| If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer. | ||||
| CVE-2026-27684 | 1 Sap Se | 1 Sap Netweaver (feedback Notification) | 2026-03-11 | 6.4 Medium |
| SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application. | ||||
| CVE-2025-11158 | 1 Hitachi | 1 Vantara Pentaho Data Integration And Analytics | 2026-03-11 | 9.1 Critical |
| Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE. | ||||
| CVE-2026-1261 | 2 Wordpress, Wpmet | 2 Wordpress, Metform Pro | 2026-03-11 | 7.2 High |
| The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-70025 | 1 Benkeen | 1 Generatedata | 2026-03-11 | 6.1 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | ||||
| CVE-2025-13902 | 1 Schneider-electric | 2 Modicon Controllers M241/m251, Modicon Controllers M258/lmc058 | 2026-03-11 | N/A |
| CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. | ||||
| CVE-2025-2399 | 1 Mitsubishi Electric | 20 Cnc C80 Series C80, Cnc E70 Series E70, Cnc E80 Series E80 and 17 more | 2026-03-11 | 5.9 Medium |
| Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric CNC M800V Series M800VW and M800VS, M80V Series M80V and M80VW, M800 Series M800W and M800S, M80 Series M80 and M80W, E80 Series E80, C80 Series C80, M700V Series M750VW, M720VW, 730VW, M720VS, M730VS, and M750VS, M70V Series M70V, E70 Series E70, and Software Tools NC Trainer2 and NC Trainer2 plus allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition by sending specially crafted packets to TCP port 683. | ||||
| CVE-2025-27769 | 1 Siemens | 2 Heliox Flex 180 Kw Ev Charging Station, Heliox Mobile Dc 40 Kw Ev Charging Station | 2026-03-11 | 2.6 Low |
| A vulnerability has been identified in Heliox Flex 180 kW EV Charging Station (All versions < F4.11.1), Heliox Mobile DC 40 kW EV Charging Station (All versions < L4.10.1). Affected devices contain improper access control that could allow an attacker to reach unauthorized services via the charging cable. | ||||
| CVE-2025-41709 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 9.8 Critical |
| [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR] | ||||
| CVE-2025-41710 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 6.5 Medium |
| An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | ||||
| CVE-2025-41712 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 6.5 Medium |
| An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for the web server. | ||||
| CVE-2025-68402 | 1 Freshrss | 1 Freshrss | 2026-03-11 | N/A |
| FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release. | ||||
| CVE-2025-70973 | 1 Scadabr | 1 Scadabr | 2026-03-11 | 4.8 Medium |
| ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | ||||
| CVE-2026-0953 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-03-11 | 9.8 Critical |
| The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address. | ||||
| CVE-2026-1919 | 2 Arraytics, Wordpress | 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress | 2026-03-11 | 5.3 Medium |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. | ||||
| CVE-2026-1920 | 2 Arraytics, Wordpress | 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress | 2026-03-11 | 5.3 Medium |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins. | ||||
| CVE-2026-22614 | 1 Eaton | 1 Easysoft | 2026-03-11 | 6.1 Medium |
| The encryption mechanism used in Eaton's EasySoft project file was insecure and susceptible to brute force attacks, an attacker with access to this file and the local host machine could potentially read the sensitive information stored and tamper with the project file. This security issue has been fixed in the latest version of Eaton EasySoft which is available on the Eaton download centre. | ||||
| CVE-2026-24309 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 6.4 Medium |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality. | ||||
| CVE-2026-24310 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 3.5 Low |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability. | ||||
| CVE-2026-24311 | 1 Sap Se | 1 Sap Customer Checkout 2.0 | 2026-03-11 | 5.6 Medium |
| The SAP Customer Checkout application exhibits certain design characteristics that involve locally storing operational data using reversible protection mechanisms. Access to this data, combined with user?initiated interaction, may allow modifications to occur without validation. Such changes could affect system behaviour during startup, resulting in a high impact on the application's confidentiality and integrity, with a low impact on availability. | ||||