Export limit exceeded: 326303 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (326303 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28557 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-02 | 6.5 Medium |
| wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles. | ||||
| CVE-2026-28560 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-02 | 5.5 Medium |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers. | ||||
| CVE-2026-28561 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-02 | 5.5 Medium |
| wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. | ||||
| CVE-2026-2880 | 1 Fastify | 1 Middie | 2026-03-02 | N/A |
| A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers. | ||||
| CVE-2026-3255 | 1 Tokuhirom | 1 Http::session2 | 2026-03-02 | N/A |
| HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above. | ||||
| CVE-2026-3380 | 1 Tenda | 2 F453, F453 Firmware | 2026-03-02 | 8.8 High |
| A vulnerability was found in Tenda F453 1.0.0.3. This issue affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page results in buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-3384 | 1 Chaiscript | 1 Chaiscript | 2026-03-02 | 3.3 Low |
| A security vulnerability has been detected in ChaiScript up to 6.1.0. This impacts the function chaiscript::eval::AST_Node_Impl::eval/chaiscript::eval::Function_Push_Pop of the file include/chaiscript/language/chaiscript_eval.hpp. The manipulation leads to uncontrolled recursion. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3385 | 1 Wren-lang | 1 Wren | 2026-03-02 | 3.3 Low |
| A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3390 | 1 Fascinatedbox | 1 Lily | 2026-03-02 | 3.3 Low |
| A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3394 | 1 Jarikomppa | 1 Soloud | 2026-03-02 | 3.3 Low |
| A vulnerability was detected in jarikomppa soloud up to 20200207. This affects the function SoLoud::Wav::loadwav of the file src/audiosource/wav/soloud_wav.cpp of the component WAV File Parser. Performing a manipulation results in memory corruption. The attack must be initiated from a local position. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3395 | 1 Maxsite | 1 Cms | 2026-03-02 | 7.3 High |
| A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 109.2 will fix this issue. This patch is called 08937a3c5d672a242d68f53e9fccf8a748820ef3. You should upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional. | ||||
| CVE-2026-3401 | 1 Sourcecodester | 1 Web-based Pharmacy Product Management System | 2026-03-02 | 3.1 Low |
| A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-3402 | 1 Phpgurukul | 1 Student Record Management System | 2026-03-02 | 2.4 Low |
| A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. Such manipulation of the argument Course Short Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-3404 | 2 Jeesite, Thinkgem | 2 Jeesite, Jeesite | 2026-03-02 | 5 Medium |
| A flaw has been found in thinkgem JeeSite up to 5.15.1. Impacted is an unknown function of the file /com/jeesite/common/shiro/cas/CasOutHandler.java of the component Endpoint. Executing a manipulation can lead to xml external entity reference. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3405 | 2 Jeesite, Thinkgem | 2 Jeesite, Jeesite | 2026-03-02 | 3.1 Low |
| A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected element is an unknown function of the component Connection Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3410 | 1 Itsourcecode | 1 Society Management System | 2026-03-02 | 7.3 High |
| A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/check_studid.php. Executing a manipulation of the argument student_id can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-2359 | 1 Expressjs | 1 Multer | 2026-03-02 | 7.5 High |
| Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. | ||||
| CVE-2026-3304 | 1 Expressjs | 1 Multer | 2026-03-02 | 7.5 High |
| Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. | ||||
| CVE-2026-3132 | 2026-03-02 | 8.8 High | ||
| The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server. | ||||
| CVE-2026-27631 | 2026-03-02 | N/A | ||
| Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8. | ||||