Export limit exceeded: 85422 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 363020 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363020 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57621 2 Arraytics, Wordpress 2 Booktics, Wordpress 2026-07-02 9.8 Critical
Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.
CVE-2026-57670 2 Codepeople, Wordpress 2 Google Maps Cp, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions.
CVE-2026-57671 2 Perfmatters, Wordpress 2 Perfmatters, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions.
CVE-2026-57674 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
CVE-2026-10077 2026-07-02 6.8 Medium
The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.
CVE-2025-69152 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
CVE-2026-27425 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.
CVE-2026-50284 2026-07-02 N/A
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.
CVE-2026-14427 1 Google 1 Chrome 2026-07-02 8.3 High
Heap buffer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-14411 1 Google 1 Chrome 2026-07-02 9.6 Critical
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14414 1 Google 1 Chrome 2026-07-02 5.3 Medium
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14429 1 Google 1 Chrome 2026-07-02 8.3 High
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14389 1 Google 1 Chrome 2026-07-02 8.3 High
Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14430 1 Google 1 Chrome 2026-07-02 8.8 High
Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14416 1 Google 1 Chrome 2026-07-02 9.6 Critical
Out of bounds read in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-57347 2 Jetmonsters, Wordpress 2 Hotel Booking Lite, Wordpress 2026-07-02 6.5 Medium
Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.
CVE-2026-57349 2 Etruel, Wordpress 2 Wpematico Rss Feed Fetcher, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.
CVE-2026-57353 2026-07-02 6.5 Medium
Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.
CVE-2026-55794 2026-07-02 N/A
Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.
CVE-2026-57730 2026-07-02 4.3 Medium
Subscriber Broken Access Control in Flatsome <= 3.20.5 versions.