CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

287 matches found

RedhatCVE•added 2026/06/05 7:12 p.m.•10 views

CVE-2026-39358

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters sortprice, sortactivity, sortadmin, and sortcustomer of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to...

7.2CVSS6.1AI score0.00307EPSS

Exploits0References1

Cvelist•added 2026/06/03 1:16 p.m.•38 views

CVE-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

3.1CVSS0.00285EPSS

Exploits0References3

Debian CVE•added 2026/06/03 1:16 p.m.•6 views

CVE-2026-8404

5.3CVSS5.8AI score0.00285EPSS

Exploits0

NVD•added 2026/05/19 4:16 a.m.•22 views

CVE-2026-24792

in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps...

8.1CVSS0.00428EPSS

Exploits0References1

Positive Technologies•added 2026/05/05 12:0 a.m.•8 views

PT-2026-37078

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.4 Django versions 5.2 through 5.2.13 Description An issue in django.middleware.cache.UpdateCacheMiddleware causes requests where the Vary header contains an asterisk '' to be erroneously cached. This behavior ca...

5.3CVSS5.8AI score0.00358EPSS

Exploits0References20

Tenable Nessus•added 2026/04/10 12:0 a.m.•1 views

Dotnetnuke 6.0.x < 10.2.2 Force Friend Request Acceptance (GHSA-fpj4-9qhx-5m6m)

According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 6.0.x prior to 10.2.2. It is, therefore, affected by a vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number...

5.9AI score

Exploits0References1

Tenable Nessus•added 2026/04/09 12:0 a.m.•8 views

Python Library Django 4.2.x < 4.2.30 / 5.2.x < 5.2.13 / 6.0.x < 6.0.4 Multiple Vulnerabilities

The detected version of the Django Python package is 4.2.x prior to 4.2.30, 5.2.x prior to 5.2.13, or 6.0.x prior to 6.0.4. It is, therefore, affected by multiple vulnerabilities, including: - ASGIRequest allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header...

9.8CVSS5.9AI score0.00769EPSS

Exploits1References6

NVD•added 2026/04/07 3:17 p.m.•9 views

CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS0.00769EPSS

Exploits0References3

CVE•added 2026/03/27 7:46 p.m.•11 views

CVE-2026-33765

Summary: Pi-hole Admin Interface (web) prior to 6.0 contains a critical OS command injection in savesettings.php. The vulnerability arises from unsanitized user-controlled $_POST['webtheme'] being concatenated into a system command executed via PHP’s exec(), with the command running under sudo pr...

9.8CVSS6AI score0.01088EPSS

Exploits0References1Affected Software1

NVD•added 2026/02/03 3:16 p.m.•6 views

CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

5.3CVSS0.00713EPSS

Exploits0References3

RedhatCVE•added 2026/01/09 10:8 a.m.•17 views

CVE-2019-20025

Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with manufacturer privileg...

10CVSS7.1AI score0.02925EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 9:14 a.m.•10 views

CVE-2022-42485

Auth. contributor+ Cross-Site Scripting XSS vulnerability in Galaxy Weblinks Gallery with thumbnail slider plugin = 6.0 versions...

5.4CVSS5.9AI score0.00383EPSS

Exploits0References1

UbuntuCve•added 2025/12/19 11:15 a.m.•8 views

CVE-2025-14847

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3,...

8.7CVSS7AI score0.83007EPSS

Exploits39References4

NVD•added 2025/10/07 6:15 p.m.•5 views

CVE-2025-3450

An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions...

10CVSS0.00254EPSS

Exploits0References1