363779 matches found
CVE-2026-10850
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...
CVE-2026-11311
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the...
CVE-2024-47477
Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning...
CVE-2026-55738
A stack-based buffer overflow exists in the rawtoheader function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width...
CVE-2026-9591
Cross-site request forgery CSRF in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection...
CVE-2026-54813
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0...
CVE-2026-54817
Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4...
CVE-2026-54816
Improper Control of Generation of Code 'Code Injection' vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion. This issue affects Advanced Ads: from n/a through 2.0.21...
CVE-2026-54818
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in VeronaLabs Slimstat Analytics allows Blind SQL Injection. This issue affects Slimstat Analytics: from n/a through 5.4.11...
CVE-2026-54815
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6...
CVE-2026-54819
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0...
CVE-2026-54814
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109...
CVE-2026-54193
Contributor Arbitrary File Deletion in Fusion Builder = 3.15.4 versions...
CVE-2026-54809
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10...
CVE-2026-54808
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4...
CVE-2026-54417
An integer overflow in the mtarnext function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service uncontrolled CPU consumption / infinite loop via a crafted tar archive. mtarnext computes the offset to the next record as rounduph.size, 512 +...
CVE-2026-52707
Unauthenticated Local File Inclusion in Kastell = 2.0 versions...
CVE-2026-52716
Unauthenticated Arbitrary File Deletion in WorkScout-Core = 1.7.11 versions...
CVE-2026-49268
A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...
CVE-2026-49108
Unauthenticated PHP Object Injection in Moderno 1.43 versions...
CVE-2026-40756
Unauthenticated PHP Object Injection in Zoya = 1.4 versions...
CVE-2026-40752
Unauthenticated PHP Object Injection in Manufaktur Solutions = 1.1.1 versions...
CVE-2026-40733
Unauthenticated PHP Object Injection in ShiftUp = 1.3 versions...
CVE-2026-40738
Unauthenticated PHP Object Injection in Eldon = 1.4.1 versions...
CVE-2026-40757
Unauthenticated PHP Object Injection in Château = 1.2.1 versions...
CVE-2026-39559
Unauthenticated Local File Inclusion in Uppercase 1.2.2 versions...
CVE-2026-39590
Unauthenticated Local File Inclusion in Atomlab = 2.4.5 versions...
CVE-2026-40720
Unauthenticated Cross Site Scripting XSS in Royal Elementor Addons Pro 1.7.1041 versions...
CVE-2026-39576
Unauthenticated PHP Object Injection in SingleMalt = 1.5 versions...
CVE-2026-39560
Unauthenticated PHP Object Injection in Hiroshi = 1.5.1 versions...
CVE-2026-39556
Unauthenticated PHP Object Injection in Konsept = 1.9 versions...
CVE-2026-39442
Unauthenticated PHP Object Injection in PressMart = 1.2.26 versions...
CVE-2026-39523
Unauthenticated Local File Inclusion in Solene Core = 2.3.2 versions...
CVE-2026-39445
Unauthenticated PHP Object Injection in Alukas 3.0.0 versions...
CVE-2026-10641
Zephyr's Bluetooth Classic Hands-Free Profile HFP Hands-Free role parser subsys/bluetooth/host/classic/hfphf.c contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cindhandle, which assigns a per-entry counter index a...
CVE-2025-69170
Unauthenticated Local File Inclusion in Eventicity = 1.5 versions...
CVE-2025-69174
Unauthenticated Local File Inclusion in Etude = 1.6 versions...
CVE-2025-69166
Unauthenticated Local File Inclusion in Gunslinger = 1.7 versions...
CVE-2025-69175
Unauthenticated Local File Inclusion in Line Agency = 1.3.1 versions...
CVE-2025-69189
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...
CVE-2025-69157
Unauthenticated Local File Inclusion in Gamic = 1.15 versions...
CVE-2025-69144
Unauthenticated Local File Inclusion in Preservation = 1.10 versions...
CVE-2025-69164
Unauthenticated Local File Inclusion in Skyward = 1.10 versions...
CVE-2025-69158
Unauthenticated Local File Inclusion in Granola = 1.13 versions...
CVE-2025-69140
Unauthenticated Cross Site Scripting XSS in SweetDate Core 1.1.5 versions...
CVE-2025-69127
Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...
CVE-2025-69126
Unauthenticated Local File Inclusion in Fortius = 2.3.0 versions...
CVE-2025-69128
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3...
CVE-2025-69130
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...
CVE-2025-69115
Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme = 1.2.2 versions...