Export limit exceeded: 352777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352777 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8347 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | 4.3 Medium |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | ||||
| CVE-2026-9248 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 2.6 Low |
| Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-8435 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | 6.5 Medium |
| Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-35070 | 1 Dell | 1 Smartfabric Storage Software | 2026-05-22 | 6.4 Medium |
| Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | ||||
| CVE-2026-7890 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | 6.4 Medium |
| In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N. | ||||
| CVE-2026-9246 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 4.3 Medium |
| Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9291 | 1 Aws | 1 Amazon Braket Python Sdk | 2026-05-22 | 7.1 High |
| Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later. | ||||
| CVE-2026-9247 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 2.4 Low |
| Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-39832 | 1 Golang | 1 Ssh | 2026-05-22 | 9.1 Critical |
| When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. | ||||
| CVE-2026-9047 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 7.6 High |
| Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 | ||||
| CVE-2026-9224 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 4.3 Medium |
| Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-8477 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 2.7 Low |
| Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-5171 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 4.3 Medium |
| Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-7325 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 7.1 High |
| Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-39833 | 1 Golang | 1 Ssh | 2026-05-22 | 9.1 Critical |
| The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. | ||||
| CVE-2026-4931 | 1 Marginal | 2 Marginal Smart Contract, V1-core | 2026-05-22 | 6.8 Medium |
| Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | ||||
| CVE-2026-6960 | 2 Repute Infosystems, Wordpress | 2 Bookingpress Appointment Booking Pro, Wordpress | 2026-05-22 | 9.8 Critical |
| The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form. | ||||
| CVE-2026-7249 | 2 Shapedplugin, Wordpress | 2 Location Weather – Wordpress Weather Forecast, Aqi, Temperature And Weather Widget, Wordpress | 2026-05-22 | 4.3 Medium |
| The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook. | ||||
| CVE-2026-7798 | 2 Techjewel, Wordpress | 2 Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution, Wordpress | 2026-05-22 | 5.4 Medium |
| The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests. | ||||
| CVE-2022-34363 | 1 Dell | 3 Unisphere 360, Unisphere For Powermax, Unisphere For Powermax Virtual Appliance | 2026-05-22 | 6.5 Medium |
| Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp | ||||