Export limit exceeded: 337350 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 337350 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337350 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27142 | 1 Go Standard Library | 1 Html/template | 2026-03-10 | 7.5 High |
| Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. | ||||
| CVE-2026-27138 | 1 Go Standard Library | 1 Crypto Tls | 2026-03-10 | 5.9 Medium |
| Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS. | ||||
| CVE-2026-27137 | 1 Go Standard Library | 1 Crypto Tls | 2026-03-10 | 7.5 High |
| When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered. | ||||
| CVE-2026-27027 | 1 Everon | 1 Api.everon.io | 2026-03-10 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-26377 | 2 Koha, Koha-community | 2 Koha, Koha | 2026-03-10 | 5.4 Medium |
| Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | ||||
| CVE-2026-26288 | 1 Everon | 1 Api.everon.io | 2026-03-10 | 9.4 Critical |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | ||||
| CVE-2026-25679 | 1 Go Standard Library | 1 Net/url | 2026-03-10 | 7.5 High |
| url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | ||||
| CVE-2026-24696 | 1 Everon | 1 Api.everon.io | 2026-03-10 | 7.5 High |
| The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access. | ||||
| CVE-2026-24308 | 1 Apache | 1 Zookeeper | 2026-03-10 | 6.5 Medium |
| Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue. | ||||
| CVE-2026-24281 | 1 Apache | 1 Zookeeper | 2026-03-10 | 5.9 Medium |
| Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols. | ||||
| CVE-2026-22923 | 1 Siemens | 1 Nx | 2026-03-10 | 7.8 High |
| A vulnerability has been identified in NX (All versions < V2512), NX (Managed Mode) (All versions < V2512). The affected application contains a data validation vulnerability that could allow an attacker with local access to interfere with internal data during the PDF export process that could potentially lead to arbitrary code execution. | ||||
| CVE-2026-22478 | 2 Elated Themes, Wordpress | 2 Findall, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes FindAll findall allows PHP Local File Inclusion.This issue affects FindAll: from n/a through <= 1.4. | ||||
| CVE-2026-22476 | 2 Elated-themes, Wordpress | 2 Etchy, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0. | ||||
| CVE-2026-22471 | 2 Maximsecudeal, Wordpress | 2 Secudeal Payments For Ecommerce, Wordpress | 2026-03-10 | 8.6 High |
| Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1. | ||||
| CVE-2026-22465 | 2 Seventhqueen, Wordpress | 2 Buddyapp, Wordpress | 2026-03-10 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2. | ||||
| CVE-2026-22456 | 2 Elated-themes, Wordpress | 2 Askka, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Askka askka allows PHP Local File Inclusion.This issue affects Askka: from n/a through <= 1.0. | ||||
| CVE-2026-22454 | 2 Themerex, Wordpress | 2 Solaris, Wordpress | 2026-03-10 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5. | ||||
| CVE-2026-22452 | 2 Themerex, Wordpress | 2 Hoverex, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hoverex hoverex allows PHP Local File Inclusion.This issue affects Hoverex: from n/a through <= 1.5.10. | ||||
| CVE-2026-22449 | 2 Select-themes, Wordpress | 2 Don Peppe, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Don Peppe donpeppe allows PHP Local File Inclusion.This issue affects Don Peppe: from n/a through <= 1.3. | ||||
| CVE-2026-22443 | 2 Themerex, Wordpress | 2 Alliance, Wordpress | 2026-03-10 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Alliance alliance allows PHP Local File Inclusion.This issue affects Alliance: from n/a through <= 3.1.1. | ||||