Search Results (86059 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57678 2 Themepunch, Wordpress 2 Slider Revolution, Wordpress 2026-07-03 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16.
CVE-2026-20214 2026-07-03 7.5 High
A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in FSG files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains portable executable content compressed with FSG to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
CVE-2026-20216 2026-07-03 7.5 High
A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper handling of temporary resources during file scanning. An attacker could exploit this vulnerability by submitting a crafted InstallShield file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process and temporarily consume available system resources, resulting in a DoS condition on the affected software.
CVE-2026-55952 1 Erlang 3 Erlang/otp, Erlang\/otp, Otp 2026-07-03 7.5 High
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected. This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
CVE-2026-11577 1 Redhat 5 Build Of Keycloak, Data Grid, Jboss Enterprise Application Platform and 2 more 2026-07-03 7.2 High
The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.
CVE-2026-9563 1 Eclipse 1 Parsson 2026-07-03 7.5 High
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
CVE-2026-50521 1 Microsoft 1 Edge Chromium 2026-07-03 8.3 High
Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.
CVE-2026-12912 2 Libtiff, Redhat 4 Libtiff, Enterprise Linux, Hardened Images and 1 more 2026-07-02 7.3 High
A flaw was found in libtiff. A remote attacker could exploit this vulnerability by providing a specially crafted PixarLog-compressed TIFF image. This issue occurs when decoding Pixarlog codec images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow. This could potentially result in arbitrary code execution or a denial of service (DoS).
CVE-2026-57766 2 Wordpress, Xplodedthemes 2 Wordpress, Wpide - File Manager & Code Editor 2026-07-02 8.8 High
Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions.
CVE-2026-57759 2 Metagauss, Wordpress 2 Profilegrid, Wordpress 2026-07-02 8.8 High
Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.
CVE-2026-57361 2 Ays-pro, Wordpress 2 Survey Maker, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Survey Maker <= 5.2.2.5 versions.
CVE-2026-57682 2 Quantumcloud, Wordpress 2 Simple Link Directory, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions.
CVE-2026-57674 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
CVE-2026-57362 2 Quantumcloud, Wordpress 2 Chatbot, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ChatBot <= 8.3.2 versions.
CVE-2026-57356 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.
CVE-2026-57343 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Real Estate 7 <= 3.5.9 versions.
CVE-2026-59095 1 Lobehub 1 Lobehub 2026-07-02 7.7 High
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.
CVE-2026-57765 2 Levelfourdevelopment, Wordpress 2 Wp-easycart, Wordpress 2026-07-02 8.5 High
Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
CVE-2026-57758 2026-07-02 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.
CVE-2026-57752 2026-07-02 8.5 High
Contributor SQL Injection in iNET Webkit 1.2.4 versions.