Export limit exceeded: 352815 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 352815 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352815 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9471 | 1 Yashpokharna2555 | 1 Studentmanagementsystem | 2026-05-26 | 3.5 Low |
| A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-9468 | 1 Dazeb | 1 Cline-mcp-memory-bank | 2026-05-26 | 6.3 Medium |
| A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-9477 | 1 Totolink | 2 A8000ru, A8000ru Firmware | 2026-05-26 | 9.8 Critical |
| A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-48847 | 1 Roundcube | 1 Webmail | 2026-05-26 | 3.7 Low |
| Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | ||||
| CVE-2026-9483 | 1 Sourcecodester | 1 Student Grades Management System | 2026-05-26 | 6.3 Medium |
| A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-48849 | 1 Roundcube | 1 Webmail | 2026-05-26 | 4.4 Medium |
| In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | ||||
| CVE-2026-5223 | 1 Rust-lang | 1 Cargo | 2026-05-26 | N/A |
| Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. | ||||
| CVE-2018-25361 | 1 Soroush | 1 Soroush Messenger | 2026-05-26 | 6.8 Medium |
| Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode. | ||||
| CVE-2026-48848 | 1 Roundcube | 1 Webmail | 2026-05-26 | 7.2 High |
| Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute. | ||||
| CVE-2018-25367 | 1 Nasa | 1 Openvsp | 2026-05-26 | 6.2 Medium |
| NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Attackers can trigger a denial of service by pasting a 5000-byte payload into the name input field within the Geom browser pod addition interface. | ||||
| CVE-2018-25369 | 1 Scanwith | 1 Visual Ping | 2026-05-26 | 6.2 Medium |
| Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Attackers can inject malicious payloads exceeding 4108 bytes into the Host, Time Out, Packet Size, Pause, or Loops fields to trigger a denial of service condition. | ||||
| CVE-2018-25373 | 1 Socusoft | 1 Dvd Photo Slideshow Professional | 2026-05-26 | 8.4 High |
| SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious text file with carefully constructed payload containing junk bytes, SEH chain overwrite, and shellcode, then paste the contents into the Registration Name field via Help > Register to trigger code execution. | ||||
| CVE-2018-25375 | 1 Socusoft | 1 Ipod Photo Slideshow | 2026-05-26 | 8.4 High |
| SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft malicious input in the Registration Name and Registration Key fields to trigger a stack-based buffer overflow and execute a reverse shell payload. | ||||
| CVE-2018-25378 | 1 Stokedonit | 1 Notebook Pro | 2026-05-26 | 6.2 Medium |
| Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook. | ||||
| CVE-2018-25379 | 1 Ourenergy | 1 Collectric Cmu | 2026-05-26 | 8.2 High |
| Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques. | ||||
| CVE-2018-25381 | 2 Almera Responsive Portfolio Project, Extro | 2 Almera Responsive Portfolio, Responsive Portfolio | 2026-05-26 | 7.1 High |
| Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details. | ||||
| CVE-2026-9473 | 1 C-rick | 1 Jimeng-mcp | 2026-05-26 | 6.3 Medium |
| A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-44598 | 1 Apache | 1 Shiro | 2026-05-26 | N/A |
| With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie. | ||||
| CVE-2026-24545 | 2 Nikki Blight, Wordpress | 2 Qr Redirector, Wordpress | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | ||||
| CVE-2026-24582 | 2 Wordpress, Wppool | 2 Wordpress, Flextable | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | ||||