Export limit exceeded: 335532 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335532 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3025 | 1 Shuoren | 1 Smart Heating Integrated Management Platform | 2026-03-03 | 7.3 High |
| A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-2945 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2026-03-03 | 6.3 Medium |
| A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2019-25329 | 1 Internet-soft | 1 Ftp Navigator | 2026-03-03 | 7.5 High |
| FTP Navigator 8.03 contains a denial of service vulnerability that allows attackers to crash the application by overwriting Structured Exception Handler (SEH) with malicious input. Attackers can generate a payload of 4108 'A' characters followed by 4 'B' characters and 40 'C' characters to trigger a program crash when pasted into the custom command input. | ||||
| CVE-2026-2111 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2026-03-03 | 4.3 Medium |
| A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Module. Executing a manipulation of the argument filePath can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1813 | 2 Adlered, Bolo-blog | 2 Bolo-solo, Bolo-solo | 2026-03-03 | 6.3 Medium |
| A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-1812 | 2 Adlered, Bolo-blog | 2 Bolo-solo, Bolo-solo | 2026-03-03 | 6.3 Medium |
| A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3338 | 2026-03-02 | 7.5 High | ||
| Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ||||
| CVE-2026-3337 | 2026-03-02 | 5.9 Medium | ||
| Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ||||
| CVE-2026-3336 | 2026-03-02 | 7.5 High | ||
| Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ||||
| CVE-2026-2583 | 2026-03-02 | 6.4 Medium | ||
| The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0026 | 2026-03-02 | 7.8 High | ||
| In removePermission of PermissionManagerServiceImpl.java, there is a possible way to override any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-48587 | 2026-03-02 | 6.2 Medium | ||
| In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48585 | 2026-03-02 | 6.2 Medium | ||
| In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-25859 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 8.8 High |
| Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | ||||
| CVE-2026-25568 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 4.3 Medium |
| WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | ||||
| CVE-2026-25567 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 4.3 Medium |
| WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | ||||
| CVE-2026-25566 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 5.4 Medium |
| WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. | ||||
| CVE-2026-25565 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 6.5 Medium |
| WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | ||||
| CVE-2026-25564 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 7.5 High |
| WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | ||||
| CVE-2026-25563 | 1 Wekan Project | 1 Wekan | 2026-03-02 | 7.5 High |
| WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | ||||