Export limit exceeded: 363021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363021 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20460 | 1 Mediatek, Inc. | 1 Mediatek Chipset | 2026-07-02 | 5.3 Medium |
| In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788. | ||||
| CVE-2026-20462 | 1 Mediatek, Inc. | 1 Mediatek Chipset | 2026-07-02 | 6.7 Medium |
| In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871. | ||||
| CVE-2026-11568 | 2026-07-02 | 7.5 High | ||
| The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed. | ||||
| CVE-2026-11570 | 2026-07-02 | 4.2 Medium | ||
| The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled. | ||||
| CVE-2026-11880 | 2026-07-02 | 3.1 Low | ||
| The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users. | ||||
| CVE-2026-11887 | 2 Salonbookingsystem, Wordpress | 2 Salon Booking System, Wordpress | 2026-07-02 | 4.3 Medium |
| The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings. | ||||
| CVE-2026-57765 | 2 Levelfourdevelopment, Wordpress | 2 Wp-easycart, Wordpress | 2026-07-02 | 8.5 High |
| Contributor SQL Injection in WP EasyCart <= 5.9.0 versions. | ||||
| CVE-2026-57766 | 2 Wordpress, Xplodedthemes | 2 Wordpress, Wpide - File Manager & Code Editor | 2026-07-02 | 8.8 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions. | ||||
| CVE-2026-57678 | 2 Themepunch, Wordpress | 2 Slider Revolution, Wordpress | 2026-07-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16. | ||||
| CVE-2026-53358 | 1 Linux | 1 Linux Kernel | 2026-07-02 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared. | ||||
| CVE-2026-53357 | 1 Linux | 1 Linux Kernel | 2026-07-02 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked. l2cap_sock_cleanup_listen() walks these children on listening-socket close. A concurrent HCI disconnect drives hci_rx_work -> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and frees the child sk and its l2cap_chan; cleanup_listen() then uses both: BUG: KASAN: slab-use-after-free in l2cap_sock_kill l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the accept_q list/poll and takes temporary refs inside bt_accept_dequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanup_listen() under lock_sock() in l2cap_sock_release(). Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF still reproduces on current bluetooth/master. Take the reference at the source: bt_accept_dequeue() does sock_hold() while sk is still locked, before release_sock(); callers sock_put(). cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sk_lock (lockdep). KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master. | ||||
| CVE-2026-58172 | 1 Threemammals | 1 Ocelot | 2026-07-02 | 9.1 Critical |
| Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list. | ||||
| CVE-2026-57948 | 3 Pinpoint, Pinpoint-apm, Wordpress | 3 Pinpoint Booking System, Pinpoint, Wordpress | 2026-07-02 | 6.8 Medium |
| Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking. | ||||
| CVE-2026-24247 | 1 Nvidia | 1 Megatron-bridge | 2026-07-02 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24249 | 1 Nvidia | 1 Megatron-bridge | 2026-07-02 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24270 | 2026-07-02 | 9.8 Critical | ||
| NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2026-57681 | 2 Paolo, Wordpress | 2 Geodirectory, Wordpress | 2026-07-02 | 6.4 Medium |
| Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions. | ||||
| CVE-2026-57682 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions. | ||||
| CVE-2026-57687 | 2 Hiroaki Miyashita, Wordpress | 2 Custom Field Template, Wordpress | 2026-07-02 | 8.5 High |
| Contributor SQL Injection in Custom Field Template <= 2.7.8 versions. | ||||
| CVE-2026-58652 | 2026-07-02 | 7.5 High | ||
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||