Export limit exceeded: 335699 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 335699 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335699 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28401 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28399 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 8.8 High |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28398 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28397 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28396 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 6.5 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28361 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 6.3 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28360 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.3 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28359 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28358 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.3 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. | ||||
| CVE-2026-28357 | 1 Nocodb | 1 Nocodb | 2026-03-03 | 5.4 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3. | ||||
| CVE-2023-4631 | 1 Wpdo | 1 Dologin Security | 2026-03-03 | 5.3 Medium |
| The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. | ||||
| CVE-2023-4549 | 1 Wpdo | 1 Dologin Security | 2026-03-03 | 6.1 Medium |
| The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form. | ||||
| CVE-2026-24488 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-03 | 6.5 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (including database credentials, patient documents, system files, and source code) via fax to an attacker-controlled phone number. The vulnerability exists because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without path restrictions or authorization checks. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-50199 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 9.1 Critical |
| Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openid_url parameter. This issue has been patched in version 1.11.30. | ||||
| CVE-2026-26861 | 1 Clevertap | 2 Clevertap Web Sdk, Web Sdk | 2026-03-03 | 8.3 High |
| CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain | ||||
| CVE-2025-50197 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 7.2 High |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-50196 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 7.2 High |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-50195 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 7.2 High |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-50194 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 7.2 High |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.30. | ||||
| CVE-2025-50193 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | 7.2 High |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30. | ||||