Export limit exceeded: 349675 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349675 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8185 | 1 Ugreen | 1 Cm933 | 2026-05-10 | 6.3 Medium |
| A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April." | ||||
| CVE-2026-8198 | 2 Logtivity, Wordpress | 2 Activity Logs, User Activity Tracking, Multisite Activity Log From Logtivity, Wordpress | 2026-05-10 | 5.3 Medium |
| The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used to impersonate the site in API calls to the Logtivity service. | ||||
| CVE-2026-42571 | 1 Pelicanplatform | 1 Pelican | 2026-05-10 | N/A |
| Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. | ||||
| CVE-2026-8195 | 1 Jeecg | 1 Jeecgboot | 2026-05-10 | 4.3 Medium |
| A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8210 | 1 Aandrew-me | 1 Tgpt | 2026-05-10 | 5.3 Medium |
| A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-45182 | 1 Grapheneos | 1 Grapheneos | 2026-05-10 | 2.2 Low |
| GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled. | ||||
| CVE-2026-8219 | 1 Devs Palace | 1 Erp Online | 2026-05-10 | 2.4 Low |
| A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8231 | 1 Codeastro | 1 Online Catering Ordering System | 2026-05-10 | 6.3 Medium |
| A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-50949 | 2 A-j-evolution, Wordpress | 2 Videos Sync Pdf, Wordpress | 2026-05-10 | 6.4 Medium |
| WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. | ||||
| CVE-2022-50963 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2022-50969 | 1 Ubidauction | 1 Ubidauction | 2026-05-10 | 6.1 Medium |
| uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | ||||
| CVE-2021-47930 | 1 Balbooa | 1 Balbooa Joomla Forms Builder | 2026-05-10 | 8.2 High |
| Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information. | ||||
| CVE-2021-47944 | 1 Memono | 1 Notepad | 2026-05-10 | 7.5 High |
| memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | ||||
| CVE-2021-47950 | 1 Ampps | 1 Advanced Guestbook | 2026-05-10 | 6.4 Medium |
| Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | ||||
| CVE-2026-45190 | 1 Stigtsp | 1 Net::cidr::lite | 2026-05-10 | N/A |
| Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191. | ||||
| CVE-2026-7864 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information. | ||||
| CVE-2026-44127 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. | ||||
| CVE-2026-44128 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval. | ||||
| CVE-2026-44129 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | ||||
| CVE-2026-44125 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-10 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | ||||