Export limit exceeded: 363726 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363726 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-53884 1 Webedition 1 Webedition Cms 2026-04-07 5.4 Medium
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.
CVE-2023-53881 2 Ruijie, Ruijienetworks 2 Reyee Os, Reyee Os 2026-04-07 8.1 High
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
CVE-2023-53877 1 Phpjabbers 1 Bus Reservation System 2026-04-07 9.8 Critical
Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database.
CVE-2023-53876 1 Creativeitem 1 Academy Lms 2026-04-07 5.4 Medium
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
CVE-2023-53875 1 Gomlab 1 Gom Player 2026-04-07 8.8 High
GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction.
CVE-2023-53874 1 Gomlab 1 Gom Player 2026-04-07 9.8 Critical
GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause application instability.
CVE-2023-53871 1 Soosyze 1 Soosyze 2026-04-07 9.8 Critical
Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit the broken file upload mechanism to potentially view sensitive file paths and execute malicious PHP scripts on the server.
CVE-2023-53868 2 Coppermine, Coppermine-gallery 3 Coppermine Photo Gallery, Gallery, Coppermine Photo Gallery 2026-04-07 8.8 High
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
CVE-2023-53776 1 Dbbroadcast 3 Sft Dab 600\/c, Sft Dab 600\/c Firmware, Sft Dab Series 2026-04-07 8.8 High
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the session binding mechanism to perform critical operations on the transmitter.
CVE-2023-53775 1 Dbbroadcast 3 Sft Dab 600\/c, Sft Dab 600\/c Firmware, Sft Dab Series 2026-04-07 6.5 Medium
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change user passwords by exploiting weak session management controls. Attackers can reuse IP-bound session identifiers to issue unauthorized requests to the userManager API and modify user credentials without proper authentication.
CVE-2023-53774 1 Minidvblinux 1 Minidvblinux 2026-04-07 9.8 Critical
MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely.
CVE-2023-53773 1 Minidvblinux 1 Minidvblinux 2026-04-07 5.3 Medium
MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication.
CVE-2023-53772 1 Minidvblinux 1 Minidvblinux 2026-04-07 7.5 High
MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device.
CVE-2023-53771 1 Minidvblinux 1 Minidvblinux 2026-04-07 9.8 Critical
MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials.
CVE-2023-53770 1 Minidvblinux 1 Minidvblinux 2026-04-07 7.5 High
MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials.
CVE-2023-53741 1 Dbbroadcast 11 Sft Dab 015\/c, Sft Dab 015\/c Firmware, Sft Dab 050\/c and 8 more 2026-04-07 8.1 High
Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers. Attackers can exploit the vulnerable API by intercepting and reusing established sessions to remove user accounts without proper authorization.
CVE-2023-53740 1 Dbbroadcast 11 Sft Dab 015\/c, Sft Dab 015\/c Firmware, Sft Dab 050\/c and 8 more 2026-04-07 9.8 Critical
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify the admin account.
CVE-2022-50939 1 E107 2 E107, E107 Cms 2026-04-07 7.2 High
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface.
CVE-2022-50937 1 Ametys 1 Ametys 2026-04-07 6.1 Medium
Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules.
CVE-2022-50925 1 Prowise 2 Prowise Reflect, Reflect 2026-04-07 9.8 Critical
Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages.