Export limit exceeded: 354383 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (354383 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-38931 | 1 Creatorsofcode | 1 Simplephp | 2026-05-30 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | ||||
| CVE-2025-12686 | 1 Synology | 2 Beestation Manager, Beestation Os | 2026-05-30 | 9.8 Critical |
| Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2026-2237 | 1 Synology | 1 Storage Manager | 2026-05-30 | 6.2 Medium |
| A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information. | ||||
| CVE-2026-42733 | 2 Realmag777, Wordpress | 2 Wpcs, Wordpress | 2026-05-30 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1. | ||||
| CVE-2026-42751 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Manager | 2026-05-30 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.18. | ||||
| CVE-2026-42759 | 2 Timo, Wordpress | 2 Affiliate Super Assistent, Wordpress | 2026-05-30 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through <= 1.10.1. | ||||
| CVE-2026-3012 | 2 Redhat, Samba | 4 Enterprise Linux, Openshift, Openshift Container Platform and 1 more | 2026-05-30 | 8 High |
| A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications. | ||||
| CVE-2026-1933 | 2 Redhat, Samba | 4 Enterprise Linux, Openshift, Openshift Container Platform and 1 more | 2026-05-30 | 7.1 High |
| A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types. | ||||
| CVE-2026-35087 | 1 Slican | 5 Cct-1668, Cxs-0424, Ipx and 2 more | 2026-05-30 | N/A |
| Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command. This issue was fixed in versions below: - NCP: version 1.24.0250 - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | ||||
| CVE-2026-35089 | 1 Slican | 4 Cct-1668, Cxs-0424, Ipx and 1 more | 2026-05-30 | N/A |
| In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials. This issue was fixed in versions below: - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | ||||
| CVE-2026-35090 | 1 Slican | 5 Cct-1668, Cxs-0424, Ipl-256 and 2 more | 2026-05-30 | N/A |
| In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | ||||
| CVE-2026-48916 | 1 Jenkins Project | 1 Jenkins Ldap Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | ||||
| CVE-2026-48917 | 1 Jenkins Project | 1 Jenkins Ldap Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48918 | 2 Jenkins, Jenkins Project | 2 Active Directory, Jenkins Active Directory Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | ||||
| CVE-2026-48919 | 2 Jenkins, Jenkins Project | 2 Active Directory, Jenkins Active Directory Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48920 | 2 Jenkins, Jenkins Project | 2 Email Extension, Jenkins Email Extension Plugin | 2026-05-30 | 8.8 High |
| Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. | ||||
| CVE-2026-48921 | 2 Jenkins, Jenkins Project | 2 Pipeline\, Jenkins Pipeline Groovy Libraries Plugin | 2026-05-30 | 7.5 High |
| Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. | ||||
| CVE-2026-48923 | 2 Jenkins, Jenkins Project | 2 Appspider, Jenkins Appspider Plugin | 2026-05-30 | 4.3 Medium |
| Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2026-48924 | 2 Jenkins, Jenkins Project | 2 Bitbucket Oauth, Jenkins Bitbucket Oauth Plugin | 2026-05-30 | 4.3 Medium |
| Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | ||||
| CVE-2026-48926 | 1 Jenkins Project | 1 Jenkins Job Import Plugin | 2026-05-30 | 4.3 Medium |
| Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||