Export limit exceeded: 364862 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364862 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42952 | 2026-07-10 | 7.5 High | ||
| Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack. | ||||
| CVE-2026-20744 | 2026-07-10 | 9.8 Critical | ||
| The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. | ||||
| CVE-2026-55460 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 7.1 High |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-11914 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*. | ||||
| CVE-2026-15089 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*. | ||||
| CVE-2026-15087 | 2026-07-10 | N/A | ||
| vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*. | ||||
| CVE-2026-15085 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3. | ||||
| CVE-2026-15084 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17. | ||||
| CVE-2026-15082 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1. | ||||
| CVE-2026-15081 | 2026-07-10 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0. | ||||
| CVE-2026-15080 | 2026-07-10 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4. | ||||
| CVE-2026-58591 | 2026-07-10 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0. | ||||
| CVE-2026-58590 | 2026-07-10 | N/A | ||
| Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-58589 | 2026-07-10 | N/A | ||
| Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-13244 | 2026-07-10 | N/A | ||
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0. | ||||
| CVE-2026-52200 | 2026-07-10 | 9.8 Critical | ||
| An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk | ||||
| CVE-2026-55462 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 4.3 Medium |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55515 | 1 Grokability | 1 Snipe-it | 2026-07-10 | 5 Medium |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset, allowing a reports user in one company to delete pending checkout acceptance records for another company. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55466 | 1 Grokability | 1 Snipe-it | 2026-07-10 | N/A |
| Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer’s browser. This issue is fixed in version 8.6.2. | ||||
| CVE-2026-55452 | 1 Grokability | 1 Snipe-it | 2026-07-10 | N/A |
| Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0. | ||||