Export limit exceeded: 353474 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 353474 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 353474 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (353474 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25380 | 1 Extro | 1 Extroforms | 2026-05-26 | 7.1 High |
| Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data. | ||||
| CVE-2018-25371 | 1 Moosocial | 2 Moosocial, Moosocial Store Plugin | 2026-05-26 | 8.2 High |
| mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information. | ||||
| CVE-2026-9465 | 1 Tiandy | 1 Easy7 Integrated Management Platform | 2026-05-26 | 7.3 High |
| A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-48846 | 1 Roundcube | 1 Webmail | 2026-05-26 | 6.5 Medium |
| In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass. | ||||
| CVE-2026-27768 | 1 Genetec | 1 Security Center | 2026-05-26 | 6.6 Medium |
| SQL Injection affecting the Access Manager role. | ||||
| CVE-2026-9471 | 1 Yashpokharna2555 | 1 Studentmanagementsystem | 2026-05-26 | 3.5 Low |
| A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-9468 | 1 Dazeb | 1 Cline-mcp-memory-bank | 2026-05-26 | 6.3 Medium |
| A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-9477 | 1 Totolink | 2 A8000ru, A8000ru Firmware | 2026-05-26 | 9.8 Critical |
| A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-48847 | 1 Roundcube | 1 Webmail | 2026-05-26 | 3.7 Low |
| Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | ||||
| CVE-2026-9483 | 1 Sourcecodester | 1 Student Grades Management System | 2026-05-26 | 6.3 Medium |
| A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-48849 | 1 Roundcube | 1 Webmail | 2026-05-26 | 4.4 Medium |
| In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | ||||
| CVE-2026-5223 | 1 Rust-lang | 1 Cargo | 2026-05-26 | N/A |
| Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. | ||||
| CVE-2026-48848 | 1 Roundcube | 1 Webmail | 2026-05-26 | 7.2 High |
| Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute. | ||||
| CVE-2018-25369 | 1 Scanwith | 1 Visual Ping | 2026-05-26 | 6.2 Medium |
| Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Attackers can inject malicious payloads exceeding 4108 bytes into the Host, Time Out, Packet Size, Pause, or Loops fields to trigger a denial of service condition. | ||||
| CVE-2018-25375 | 1 Socusoft | 1 Ipod Photo Slideshow | 2026-05-26 | 8.4 High |
| SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft malicious input in the Registration Name and Registration Key fields to trigger a stack-based buffer overflow and execute a reverse shell payload. | ||||
| CVE-2018-25378 | 1 Stokedonit | 1 Notebook Pro | 2026-05-26 | 6.2 Medium |
| Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook. | ||||
| CVE-2018-25381 | 2 Almera Responsive Portfolio Project, Extro | 2 Almera Responsive Portfolio, Responsive Portfolio | 2026-05-26 | 7.1 High |
| Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details. | ||||
| CVE-2026-9473 | 1 C-rick | 1 Jimeng-mcp | 2026-05-26 | 6.3 Medium |
| A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-44598 | 1 Apache | 1 Shiro | 2026-05-26 | N/A |
| With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie. | ||||
| CVE-2026-24545 | 2 Nikki Blight, Wordpress | 2 Qr Redirector, Wordpress | 2026-05-26 | 4.3 Medium |
| Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | ||||