Export limit exceeded: 87026 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (87026 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-11575 | 2026-07-17 | 7.5 High | ||
| The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made. | ||||
| CVE-2026-44435 | 1 H2o | 1 Quicly | 2026-07-17 | 7.5 High |
| Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9. | ||||
| CVE-2026-62205 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 7.1 High |
| OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path can perform actions that should have required a stronger authorization or policy check. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. The issue is fixed in 2026.6.6. | ||||
| CVE-2026-24244 | 1 Nvidia | 1 Megatron-bridge | 2026-07-17 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24245 | 1 Nvidia | 1 Megatron-bridge | 2026-07-17 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-8396 | 2026-07-17 | 7.5 High | ||
| Improper restriction of XML external entity reference vulnerability in Netcad Software Inc. NetGIS allows Serialized Data External Linking. This issue affects NetGIS: from 5.0.66 before 7.2.2. | ||||
| CVE-2026-13401 | 2026-07-17 | 7.5 High | ||
| XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition. | ||||
| CVE-2026-16014 | 1 Code-projects | 1 Hospital Bed Management System | 2026-07-17 | 7.3 High |
| A vulnerability was found in code-projects Hospital Bed Management System 1.0. This affects an unknown part of the component Login Form. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | ||||
| CVE-2026-24247 | 1 Nvidia | 1 Megatron-bridge | 2026-07-17 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24249 | 1 Nvidia | 1 Megatron-bridge | 2026-07-17 | 7.8 High |
| NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure. | ||||
| CVE-2026-24264 | 1 Nvidia | 1 Triton Inference Server | 2026-07-17 | 7.5 High |
| NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of highly compressed data. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-15008 | 2 Uncannyowl, Wordpress | 2 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin, Wordpress | 2026-07-17 | 8.1 High |
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr_token function in all versions up to, and including, 7.3.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Exploitation requires a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone', allowing unauthenticated form submissions to supply the malicious serialized payload; a gadget chain is present within the plugin via the Action_Helpers_Email __destruct() method, meaning no external gadget library is required. | ||||
| CVE-2026-62227 | 1 Openclaw | 1 Openclaw | 2026-07-17 | 7.7 High |
| OpenClaw 2026.4.14 before 2026.5.26 contain a server-side request forgery vulnerability in browser snapshot routes that fail to validate post-navigation destinations. Attackers with lower-trust access can bypass OpenClaw policy checks to reach network destinations that should have been blocked. | ||||
| CVE-2026-62233 | 1 Getgrav | 1 Grav | 2026-07-17 | 8.8 High |
| grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover. | ||||
| CVE-2026-7543 | 2 Breakdance, Wordpress | 2 Breakdance, Wordpress | 2026-07-17 | 7.2 High |
| The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-58598 | 1 Microsoft | 5 Windows 10 21h2, Windows 10 22h2, Windows 11 24h2 and 2 more | 2026-07-17 | 7 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Backup Engine allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-13765 | 2 Thimpress, Wordpress | 2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress | 2026-07-17 | 7.5 High |
| The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site — including questions belonging to paid courses the attacker is not enrolled in. | ||||
| CVE-2026-50144 | 2026-07-17 | 7.1 High | ||
| ncnn is a high-performance neural network inference framework optimized for the mobile platform. In commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier, ncnn allows an out-of-bounds heap write in ncnn::ParamDict::load_param() when Net::load_param() loads a malicious .param model file because the parsed parameter id is checked only against id >= NCNN_MAX_PARAM_COUNT, allowing a negative id to index before the params[NCNN_MAX_PARAM_COUNT] array. This vulnerability is fixed by commit 5a0288f255daa6c3294f77109f67718e434ec020. | ||||
| CVE-2026-14383 | 1 Google | 1 Chrome | 2026-07-17 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-14407 | 1 Google | 1 Chrome | 2026-07-17 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | ||||