Export limit exceeded: 335260 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335260 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22542 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-08 | N/A |
| An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service. | ||||
| CVE-2026-22541 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-08 | N/A |
| The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | ||||
| CVE-2026-22540 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-08 | N/A |
| The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | ||||
| CVE-2026-22537 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-08 | N/A |
| The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker. | ||||
| CVE-2026-22536 | 1 Sudo | 1 Sudo | 2026-01-08 | N/A |
| The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions | ||||
| CVE-2026-22535 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-08 | N/A |
| An attacker with the ability to interact through the network and with access credentials, could, thanks to the unsecured (unencrypted) MQTT communications protocol, write on the server topics of the board that controls the MQTT communications | ||||
| CVE-2026-20893 | 2 Fujitsu, Microsoft | 2 Security Solution Authconductor Client Basic V2, Windows | 2026-01-08 | N/A |
| Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | ||||
| CVE-2026-20029 | 1 Cisco | 2 Identity Services Engine Passive Identity Connector, Identity Services Engine Software | 2026-01-08 | 4.9 Medium |
| A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application. A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials. | ||||
| CVE-2026-0656 | 2 Ipaymu, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2026-01-08 | 8.2 High |
| The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | ||||
| CVE-2026-0650 | 1 Openflagr | 1 Flagr | 2026-01-08 | N/A |
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | ||||
| CVE-2025-9611 | 1 Microsoft | 1 Playwright | 2026-01-08 | N/A |
| Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. | ||||
| CVE-2025-69344 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. | ||||
| CVE-2025-69333 | 2 Crocoblock, Wordpress | 2 Jetengine, Wordpress | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. | ||||
| CVE-2025-69082 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. | ||||
| CVE-2025-69081 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. | ||||
| CVE-2025-69080 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. | ||||
| CVE-2025-64305 | 2026-01-08 | 6.5 Medium | ||
| MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. | ||||
| CVE-2025-12958 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 2.7 Low |
| The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks. | ||||
| CVE-2025-13369 | 2 Premmerce, Wordpress | 2 Woocommerce Customers Manager, Wordpress | 2026-01-08 | 6.1 Medium |
| The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13371 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.6 High |
| The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | ||||