366554 matches found
CVE-2019-25743
The CVE-2019-25743 entry affects WordPress Soliloquy Lite 2.5.6 and describes a persistent cross-site scripting vulnerability. An authenticated attacker can inject scripts by sending script payloads in the post_title parameter via the post editing endpoint; these payloads are stored and executed ...
CVE-2019-25742
CVE-2019-25742 affects WordPress Theme Zoner Real Estate 4.1.1 with a persistent XSS in the Address field during property creation. Authenticated agents can inject JavaScript payloads that execute when administrators view the property for approval, enabling cookie theft and potential session hija...
CVE-2019-25741
Mobatek MobaXterm 12.1 is affected by a SEH-based buffer overflow in the username field of session files. An attacker can craft a malicious sessions file that overflows the username, triggering code execution when imported, potentially enabling a reverse shell with the user’s privileges. The CVE ...
CVE-2019-25740
CVE-2019-25740 affects Joomla component com_jsjobs 1.2.6. An authenticated attacker can trigger arbitrary file deletion by sending POST requests to the job.savejob task with path traversal sequences in the field_2 parameter, enabling deletion of files accessible to the web server. The vulnerabili...
CVE-2019-25739
GigToDo 1.3 is affected by a persistent cross-site scripting vulnerability accessible through the create_proposal endpoint, enabling authenticated attackers to inject JavaScript/HTML in the proposal description. When stored proposals are viewed by admins or other users, the payload can execute, p...
CVE-2019-25738
The CVE affects WordPress Hybrid Composer 1.4.6, where an unauthenticated attacker can exploit the hc_ajax_save_option action via admin-ajax.php to modify WordPress options, enabling user registration and setting the default role to administrator, potentially leading to account takeover. The issu...
CVE-2019-25737
CVE-2019-25737 affects Live Chat Unlimited 2.8.3. The issue is a stored cross-site scripting (XSS) vulnerability in the chat input field that allows unauthenticated attackers to submit payloads with script tags and event handlers. These scripts can execute in the admin area, enabling cookie theft...
CVE-2019-25736
LabF nfsAxe 3.7 Ping Client is affected by a buffer overflow in the Host IP field that enables local code execution via a crafted input file containing shellcode and a overwritten return address, potentially running commands such as calc.exe. The CVSS metrics reported a high-severity, local-explo...
CVE-2019-25734
The CVE-2019-25734 entry concerns the WordPress plugin Contact Form by WD version 1.13.1. It describes a combined cross-site request forgery and local file inclusion vulnerability that lets unauthenticated attackers include arbitrary files by exploiting unsanitized action parameters. Attacks targ...
CVE-2019-25735
AllPlayer 7.4 has a local buffer overflow in URL handling that allows an attacker to overwrite SEH pointers with a crafted long URL via the Open URL dialog, enabling SEH-based code execution with user privileges. The vulnerability is local, requires no user interaction beyond URL input, and the i...
CVE-2019-25733
NetShareWatcher 1.5.8.0 contains a structured exception handler (SEH) buffer overflow in which a malicious input in the Restrictions custom filter field can overwrite SEH/NSEH pointers and cause code execution when Find is invoked. This is a local vulnerability with high impact (CVSSv3.1/8.4, CVS...
CVE-2019-25732
CVE-2019-25732 affects PHP EI-Tube Script 3. The vulnerability is an SQL injection in the search parameter that allows unauthenticated attackers to send crafted GET requests to the search endpoint to extract sensitive data (usernames, passwords, version details). Root cause is improper handling/e...
CVE-2019-25731
CVE-2019-25731 – Zuz Music 2.1 : A persistent cross-site scripting (XSS) vulnerability exists in zuzconsole contact form handling. Attackers can inject malicious JavaScript by submitting crafted data via POST to /gmusic/zuzconsole/___contact, with vulnerable fields including the name, subject, an...
CVE-2019-25730
CVE-2019-25730 affects Listing Hub CMS 1.0 . A vulnerability in the page pages.php where the id parameter is exploited via error-based SQL injection , allowing unauthenticated remote attackers to run arbitrary queries. The attacker can extract sensitive data such as database credentials, username...
CVE-2019-25729
CVE-2019-25729 : PDF Signer 3.0 is affected by a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code via the CSRF-TOKEN cookie parameter. Attackers can craft cookie values containing template payloads (e.g., shell_exec()) to run system comm...
CVE-2019-25727
The CVE-2019-25727 entry describes an Arbitrary File Download vulnerability in WordPress Plugin ad manager wd 1.0.11. An unauthenticated attacker can target the edit.php endpoint by supplying export=export_csv and a malicious path parameter to read sensitive files accessible to the web server (e....
CVE-2019-25728
Care2x 2.7 Hospital Information System is affected by SQL injection via the ck_config cookie parameter. The vulnerability allows unauthenticated attackers to inject arbitrary SQL through endpoints such as login.php, indexframe.php, and various module files, enabling extraction of sensitive databa...
CVE-2019-25726
CVE-2019-25726 affects All in One Video Downloader 1.2. An SQL injection vulnerability exists in the admin page edit via the id parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially extract sensitive data (usernames, databases, version details). The provid...
CVE-2026-40541
Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-40541.
CVE-2026-9491
Technical details are not publicly available in the provided documents for CVE-2026-9491; monitor for updates.
CVE-2026-9548
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-10856
CVE-2026-10856 concerns an open redirect in the MISP dashboard button widget due to a URL validation flaw. A crafted relative-looking URL could be accepted as a local path while browsers treat it as an external URL, especially when paths begin with /\ and browsers normalize backslashes to slashes...
CVE-2026-10810
CVE-2026-10810 affects itsourcecode Fees Management System up to version 1.0. The vulnerability resides in an unknown function of /navbar.php, whose manipulation leads to cross-site scripting. Exploitation is possible remotely and PoCs exist publicly. The CVE metrics indicate a MEDIUM severity (v...
CVE-2026-8037
CVE-2026-8037 affects Progress LoadMaster and related ADC components (ECS Connection Manager, Object Scale Connection Manager, MOVEit WAF). The vulnerability is an OS command injection in the API where unsanitized input in multiple command endpoints allows an unauthenticated attacker to execute a...
CVE-2026-10855
CVE-2026-10855 concerns an authorization flaw in the MISP Event Template Importer overwrite workflow. During overwrite, the system checked for a matching template but did not verify that the importing user belonged to the organization that owned the template. This could allow an authenticated use...
CVE-2026-10809
The CVE concerns itsourcecode Fees Management System 1.0. The vulnerability resides in /manage_user.php where manipulation of the ID parameter enables SQL injection, exploitable remotely. Public exploits exist per the provided description. Connected records confirm the issue, but no fix/version r...
CVE-2025-46638
Dell BSAFE SSL-J contains a vulnerability where resources are allocated without limits or throttling, enabling an unauthenticated remote attacker to cause a Denial of Service. Affected software is Dell BSAFE SSL-J; root cause is unbounded resource allocation. Impact is DoS with high severity (CVS...
CVE-2026-10854
CVE-2026-10854 affects MISP: a visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based acce...
CVE-2026-40605
CVE-2026-40605 concerns Tautulli, a Python-based tool for Plex Media Server. A path traversal vulnerability existed in the cache deletion API prior to version 2.17.1, allowing an authenticated user to delete directories outside the configured cache path, which could lead to arbitrary data loss an...
CVE-2026-43926
FOSSBilling prior to 0.8.0 allows probing the password-reset flow because the non-API controller for /client/reset-password-confirm/:hash is not rate-limited like /api/* endpoints. The endpoint may reveal valid vs invalid tokens (200 vs 302), enabling unlimited token guessing until expiry. Token ...
CVE-2026-10808
The CVE-2026-10808 entry concerns itsourcecode Fees Management System 1.0. A SQL injection vulnerability exists in the /manage_student.php script, triggered by manipulating the ID parameter. This affects an unknown function within that file. The issue allows remote exploitation, and a public expl...
CVE-2025-62338
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-10807
The CVE-2026-10807 entry concerns mjperpinosa stumasy, affecting the unknown function in application/PHP/objects/profiles/change_profile_image.php. The issue allows an attacker to manipulate the pr_profile_image argument to achieve unrestricted upload, with remote exploitation. Public exploit dis...
CVE-2026-10806
CVE-2026-10806 affects mjperpinosa stumasy. The vulnerability resides in an unknown function within application/PHP/objects/updates/add_post.php, where manipulating the argument up_file_to_post enables unrestricted file upload. This could allow remote exploitation with low privileges and no user ...
CVE-2025-59874
CVE-2025-59874 affects HCL Hive Telco Observability. The issue is identified as a missing CSP directive in the web application’s Keycloak component, with missing essential directives leaving the site vulnerable. The CVSS v3.1 base metrics indicate a high-severity, network-exploitability risk (AV:...
CVE-2026-45433
CVE-2026-45433 affects GX Earth 2022 ONT models. The issue is a hardcoded RSA private key embedded in device firmware, enabling a remote attacker to extract the key and potentially decrypt HTTPS traffic, enabling MITM attacks on the affected devices. The connected CVE listing documents this root ...
CVE-2026-49858
Technical details for CVE-2026-49858 are not publicly available in the provided documents. Monitor for updates as the candidate is reserved and no impact, products, or remediation information is disclosed.
CVE-2026-45432
The CVE-2026-45432 entry describes a vulnerability in GX Earth ONT models where user credentials are transmitted in cleartext over HTTP in the device’s web management interface. This allows a remote attacker who can intercept network traffic to obtain sensitive authentication data, potentially le...
CVE-2026-10843
OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS allow operator credentials to have account-wide permissions for destructive actions, rather than being restricted to cluster-owned resources. This enables cross-scope impact after credential compromise. The CVE-2026-10843 entry do...
CVE-2026-10840
CVE-2026-10840 concerns the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role. When Kueue or cert-manager CRDs are present, any authenticated...
CVE-2025-12694
Forcepoint VPN Client for Windows is affected by a local privilege escalation (CVE-2025-12694) that allows a local non-administrative user to escalate privileges to SYSTEM. Affected versions: Windows client 6.11.3 and prior. The vulnerability is local with low attack complexity and no user intera...
CVE-2026-45431
CVE-2026-45431 affects GX Earth ONT models. The issue stems from improper handling of user-supplied input in multiple diagnostic functions within the web management interface, enabling an authenticated remote attacker to inject commands and achieve remote code execution with root privileges. The ...
CVE-2026-10804
CVE-2026-10804 affects Streamlit up to 1.53.0, targeting an unknown function in the Palette Handler’s hashing.py (lib/streamlit/runtime/caching/hashing.py). The issue allows use of a weak hash due to the described manipulation, with local access required and a high attack complexity. The exploita...
CVE-2025-52606
Technical details about CVE-2025-52606 are not publicly provided in the supplied documents. No affected products, versions, exploit info, or remediation are specified here. Monitor for updates.
CVE-2025-52608
The CVE-2025-52608 entry concerns HCL iControl with Missing Cookie Attributes: cookies lack Secure and SameSite flags and have root path. Affected component is the web application’s session cookies; root path configuration and missing security attributes are cited as the underlying issue. The pro...
CVE-2026-10803
MLflow up to 3.10.0 contains a flaw in mlflow.data.digest_utils (Digest Computation) where manipulation leads to use of a weak hash. This affects the Digest Utils function in the Dataset Digest Computation component and enables a local attack. The reported exploitability is high in complexity wit...
CVE-2025-52609
Technical details about CVE-2025-52609 are not publicly available in the provided documents. Monitor for updates from vendors and advisories; current descriptions indicate a Missing Security Headers/XSS issue but no concrete affected versions or fixes.
CVE-2025-52611
CVE-2025-52611 concerns HCL iControl v4.0.0, where an unhandled exception leads to stack trace disclosure. The root cause is described as accessing an undefined object’s property, specifically the dashboard key, within the application's JavaScript code. This missing/improperly initialized object ...
CVE-2025-52612
CVE-2025-52612 affects HCL iControl. The vulnerability is described as a CSV export injection that enables reflected cross-site scripting due to insufficient input parameter sanitization. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates high impact across confidentiality, integ...
CVE-2026-31158
Technical details for CVE-2026-31158 are not publicly available in the provided documents. Monitor for updates.