Export limit exceeded: 77010 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (77010 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12514 | 1 Centreon | 2 Centreon, Open Tickets | 2026-01-26 | 7.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | ||||
| CVE-2026-1257 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 7.5 High |
| The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | ||||
| CVE-2026-0807 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 7.2 High |
| The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. | ||||
| CVE-2026-0911 | 2 Wordpress, Wpmudev | 2 Wordpress, Hustle | 2026-01-26 | 7.5 High |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. | ||||
| CVE-2025-24752 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2026-01-26 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Reflected XSS. This issue affects Essential Addons for Elementor: from n/a through 6.0.14. | ||||
| CVE-2025-5965 | 1 Centreon | 2 Centreon, Centreon Web | 2026-01-26 | 7.2 High |
| In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | ||||
| CVE-2025-31510 | 1 Lemonldap-ng | 1 Lemonldap::ng | 2026-01-26 | 7.2 High |
| In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | ||||
| CVE-2021-47842 | 1 Jotron | 1 Studymd | 2026-01-26 | 7.2 High |
| StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | ||||
| CVE-2025-62291 | 1 Strongswan | 1 Strongswan | 2026-01-26 | 8.1 High |
| In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. | ||||
| CVE-2025-15032 | 3 Apple, Dia, The Browser Company | 3 Macos, Dia, Dia | 2026-01-26 | 7.4 High |
| Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | ||||
| CVE-2021-47838 | 1 Dvcrn | 1 Markright | 2026-01-26 | 7.2 High |
| Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2021-47840 | 1 Moeditor | 1 Moeditor | 2026-01-26 | 7.2 High |
| Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | ||||
| CVE-2021-47835 | 1 Freeter | 1 Freeter | 2026-01-26 | 7.2 High |
| Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | ||||
| CVE-2021-47833 | 1 Gearboxcomputers | 1 Wifihotspot | 2026-01-26 | 7.8 High |
| WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | ||||
| CVE-2021-47829 | 1 Weird-solutions | 1 Dhcp Broadband | 2026-01-26 | 7.8 High |
| DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions. | ||||
| CVE-2021-47828 | 2 Microsoft, Weird Solutions | 2 Windows, Bootpturbo | 2026-01-26 | 7.8 High |
| BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | ||||
| CVE-2021-47827 | 2 Apple, Webssh | 2 Ios, Webssh | 2026-01-26 | 7.5 High |
| WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash. | ||||
| CVE-2021-47826 | 1 Acer | 1 Backup Manager Module | 2026-01-26 | 7.8 High |
| Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges. | ||||
| CVE-2021-47824 | 1 Splinterware | 1 Idailydiary | 2026-01-26 | 7.5 High |
| iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. | ||||
| CVE-2021-47823 | 1 Acer | 1 Epowersvc | 2026-01-26 | 7.8 High |
| Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | ||||