Export limit exceeded: 352624 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352624 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8432 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-8433 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-8416 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | ||||
| CVE-2026-8238 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | ||||
| CVE-2026-8237 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | ||||
| CVE-2026-27349 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-05-22 | 4.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5. | ||||
| CVE-2026-28764 | 1 Mediaarea | 1 Mediainfo | 2026-05-22 | 7.8 High |
| MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | ||||
| CVE-2026-39531 | 2 Wordpress, Wpdirectorykit | 2 Wordpress, Wp Directory Kit | 2026-05-22 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0. | ||||
| CVE-2026-48213 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48214 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute and an inline JavaScript string literal. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48215 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48216 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema) directly into HTML form input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48217 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48219 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48220 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48221 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48222 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48223 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48225 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||
| CVE-2026-48226 | 1 Openises | 1 Tickets | 2026-05-22 | 5.4 Medium |
| Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | ||||