Export limit exceeded: 366276 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366276 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-55370 | 1 Logto-io | 1 Logto | 2026-07-13 | 6.4 Medium |
| Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0. | ||||
| CVE-2026-55405 | 1 Langchain4j | 1 Langchain4j | 2026-07-13 | 7.6 High |
| LangChain4j is a Java library for building LLM-powered applications on the JVM. Prior to 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26, the MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys, and in MariaDB string values, directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations, enabling blind data exfiltration, denial of service via sleep functions, and deletion of arbitrary rows through removeAll(Filter). This issue is fixed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. | ||||
| CVE-2026-57807 | 2 Miniorange Security Software Pvt Ltd., Wordpress | 2 Oauth Single Sign On - Sso (oauth Client), Wordpress | 2026-07-13 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd. OAuth Single Sign On - SSO (OAuth Client) allows Password Recovery Exploitation. This issue affects OAuth Single Sign On - SSO (OAuth Client): from n/a through 38.5.8. | ||||
| CVE-2026-9726 | 1 Drupal | 1 Drupal Alternativecommerce (basket) | 2026-07-13 | N/A |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17. | ||||
| CVE-2026-10768 | 1 Drupal | 1 Localgov Workflows | 2026-07-13 | N/A |
| Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-10769 | 1 Drupal | 1 Commerce Core | 2026-07-13 | N/A |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6. | ||||
| CVE-2026-20744 | 1 Hydro-québec | 1 Le Circuit Electrique Charging Station Backend | 2026-07-13 | 9.8 Critical |
| The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. | ||||
| CVE-2026-44383 | 1 Hydro-québec | 1 Le Circuit Electrique Charging Station Backend | 2026-07-13 | 7.5 High |
| Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend. | ||||
| CVE-2026-13262 | 2 Ahmadmj, Wordpress | 2 Majestic Support – The Leading-edge Help Desk & Customer Support Plugin, Wordpress | 2026-07-13 | 6.5 Medium |
| The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user. | ||||
| CVE-2026-3367 | 2 Lustmored, Wordpress | 2 Lockme Calendars Integration, Wordpress | 2026-07-13 | 4.4 Medium |
| The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users. | ||||
| CVE-2026-2354 | 2 Wordpress, Wpmessiah | 2 Wordpress, Swiss Toolkit For Wp | 2026-07-13 | 8.8 High |
| The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats. | ||||
| CVE-2026-6803 | 2 Wordpress, Wupsales | 2 Wordpress, Ai Copilot – Content Generator | 2026-07-13 | 5.3 Medium |
| The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers. | ||||
| CVE-2026-57391 | 2 Tangible, Wordpress | 2 Loops & Logic, Wordpress | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3. | ||||
| CVE-2026-57713 | 2 Marcus (aka @msykes), Wordpress | 2 Events Manager, Wordpress | 2026-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6. | ||||
| CVE-2026-15539 | 1 Sourcecodester | 1 Online Book Store System | 2026-07-13 | 4.7 Medium |
| A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-14165 | 1 Dassault Systèmes | 1 Tuleap Enterprise Edition | 2026-07-13 | 7.5 High |
| An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization. | ||||
| CVE-2026-57829 | 2026-07-13 | N/A | ||
| The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS. | ||||
| CVE-2026-9708 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 4.9 Medium |
| Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683 | ||||
| CVE-2026-50135 | 1 Gohugo | 1 Hugo | 2026-07-13 | N/A |
| Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0. | ||||
| CVE-2026-28378 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-07-13 | 3.1 Low |
| The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. | ||||