Export limit exceeded: 85436 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (85436 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10835 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2026-06-29 | 7.7 High |
| The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks. | ||||
| CVE-2026-49486 | 1 Apache | 1 Airflow Ftp Provider | 2026-06-29 | 7.5 High |
| The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel. | ||||
| CVE-2026-57912 | 1 Johnson & Johnson | 1 Campus Recruiting | 2026-06-29 | 7.5 High |
| Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers. | ||||
| CVE-2026-57913 | 1 Johnson & Johnson | 1 Audit Tracking Management System | 2026-06-29 | 7.5 High |
| Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts. | ||||
| CVE-2026-57920 | 1 Peplink | 1 Incontrol | 2026-06-29 | 7.7 High |
| Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints. | ||||
| CVE-2026-57527 | 1 Zaproxy | 1 Zap-extensions | 2026-06-29 | 8.8 High |
| Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel. | ||||
| CVE-2025-68063 | 2 Stylemixthemes, Wordpress | 2 Splash - Sport Club Wordpress Theme For Basketball, Football, Hockey, Wordpress | 2026-06-29 | 7.5 High |
| Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions. | ||||
| CVE-2025-68064 | 2 Everthemess, Wordpress | 2 Goya Core, Wordpress | 2026-06-29 | 7.5 High |
| Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions. | ||||
| CVE-2026-54833 | 2 Dev Kabir, Wordpress | 2 Enable Cors, Wordpress | 2026-06-29 | 7.4 High |
| Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions. | ||||
| CVE-2026-54834 | 2 Fpuenteonline, Wordpress | 2 Object Cache 4 Everyone, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions. | ||||
| CVE-2026-54835 | 2 Rustaurius, Wordpress | 2 Five Star Restaurant Menu, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. | ||||
| CVE-2026-54837 | 2 Syed Balkhi, Wordpress | 2 Intranet & Private Site – All-in-one Intranet, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions. | ||||
| CVE-2026-54839 | 2 Kingaddons, Wordpress | 2 Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions. | ||||
| CVE-2026-54846 | 2 Akosglys, Wordpress | 2 Syncee Premium Dropshipping & Wholesale, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions. | ||||
| CVE-2026-56025 | 2 Paymob, Wordpress | 2 Paymob For Woocommerce, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions. | ||||
| CVE-2026-56029 | 2 Corvuspay, Wordpress | 2 Woocommerce Payment Gateway, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions. | ||||
| CVE-2026-56035 | 2 Cory Marsh, Wordpress | 2 Bitfire Security, Wordpress | 2026-06-29 | 8.6 High |
| Unauthenticated Multiple Vulnerabilities in BitFire Security <= 5.0.3 versions. | ||||
| CVE-2026-56038 | 2 Frisbii, Wordpress | 2 Frisbii Pay, Wordpress | 2026-06-29 | 8.8 High |
| Contributor Privilege Escalation in Frisbii Pay <= 1.8.2 versions. | ||||
| CVE-2026-56039 | 2 Wordpress, Wordpress.com | 2 Wordpress, Quick Interest Slider | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions. | ||||
| CVE-2026-56040 | 2 Wordpress, Wordpress.com | 2 Wordpress, Gutenverse Form | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions. | ||||