Export limit exceeded: 363604 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363604 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-14653 | 1 Sourcecodester | 1 Simple And Nice Shopping Cart Script | 2026-07-06 | 7.3 High |
| A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1.0. This impacts an unknown function of the file /admin/mensproductdeletequery.php. This manipulation of the argument user_id causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-49042 | 2026-07-06 | 7.3 High | ||
| Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue. | ||||
| CVE-2026-46587 | 1 Apache | 1 Camel | 2026-07-06 | 7.3 High |
| Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue. | ||||
| CVE-2026-14687 | 1 666ghj | 1 Bettafish | 2026-07-06 | 5.3 Medium |
| A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the file InsightEngine/agent.py of the component InsightEngine search-result Deduplication. Executing a manipulation can lead to partial string comparison. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-46588 | 1 Apache | 1 Camel | 2026-07-06 | 7.3 High |
| Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue. | ||||
| CVE-2026-14693 | 1 Sourcecodester | 1 Multi-vendor Online Grocery Management System | 2026-07-06 | 5.4 Medium |
| A flaw has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this vulnerability is the function cancel_order of the file classes/Master.php. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-20706 | 2026-07-06 | 9.1 Critical | ||
| Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint. | ||||
| CVE-2026-12252 | 1 Nltk | 1 Nltk/nltk | 2026-07-06 | 7.8 High |
| In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser) are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute them via the `java()` function, which invokes `subprocess.Popen()` without integrity verification. This vulnerability is identical to CVE-2026-0848, which was fixed for StanfordSegmenter by adding SHA256 verification. However, the fix was not applied to these additional classes, leaving them susceptible to arbitrary code execution when loading untrusted JAR files. | ||||
| CVE-2026-12194 | 1 Phpipam | 1 Phpipam | 2026-07-06 | N/A |
| PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations. | ||||
| CVE-2026-12195 | 2026-07-06 | N/A | ||
| myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta. | ||||
| CVE-2026-45489 | 1 Microsoft | 1 Edge Chromium | 2026-07-06 | 6.5 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2026-48614 | 1 Webpros | 1 Plesk | 2026-07-06 | 9.9 Critical |
| An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server. | ||||
| CVE-2026-10536 | 1 Curl | 1 Curl | 2026-07-06 | 9.8 Critical |
| A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. | ||||
| CVE-2026-11352 | 1 Curl | 1 Curl | 2026-07-06 | 7.5 High |
| An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. | ||||
| CVE-2026-14714 | 1 Zhayujie | 1 Chatgpt-on-wechat Cowagent | 2026-07-06 | 6.5 Medium |
| A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.1.0. This issue affects the function verify_server of the file channel/wechatmp/common.py of the component wx Endpoint. This manipulation of the argument wechatmp_token causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.1.1 is capable of addressing this issue. Patch name: 3d7c68bac6ee74fad63f43cf99e45c62e202ed55. It is suggested to upgrade the affected component. The project confirms: "We've added an explicit non-empty check for wechatmp_token in verify_server() so that the /wx endpoint now fails closed with 403 Forbidden whenever the token is missing or left at the default empty value, instead of relying on a signature check that silently degenerates to a predictable hash." | ||||
| CVE-2025-71373 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-07-06 | 8.1 High |
| picklescan before 0.0.33 fails to detect operator.methodcaller function calls in pickle files, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle payloads using operator.methodcaller that execute arbitrary code when loaded, compromising systems relying on picklescan for validation. | ||||
| CVE-2026-14734 | 1 Sourcecodester | 1 Class And Exam Timetabling System | 2026-07-06 | 7.3 High |
| A flaw has been found in SourceCodester Class and Exam Timetabling System 1.0. Impacted is an unknown function of the file /edit_product.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-14618 | 1 Open5gs | 1 Open5gs | 2026-07-06 | 4.3 Medium |
| A vulnerability was detected in Open5GS up to 2.7.7. Affected by this vulnerability is the function amf_nnrf_handle_nf_discover of the file src/amf/nnrf-handler.c of the component AMF. The manipulation results in denial of service. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as fb5f67703de0213fb9c6e6ef3b48b6c1707e9503. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2026-14621 | 1 Federatedai | 1 Fate | 2026-07-06 | 3.1 Low |
| A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument rollSiteSessionId/dstRole/dstPartyId leads to exposure of data element to wrong session. The attack can be executed remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-14625 | 1 Nousresearch | 1 Hermes-agent | 2026-07-06 | 6.3 Medium |
| A security flaw has been discovered in NousResearch hermes-agent up to 0.15.2. The affected element is the function shell.exec of the file tui_gateway/server.py. The manipulation results in protection mechanism failure. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||