Export limit exceeded: 333385 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 333385 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (333385 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-20028 | 1 Zkteco | 1 Zkbiosecurity | 2026-03-16 | 4.3 Medium |
| ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages. | ||||
| CVE-2017-20223 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2026-03-16 | 9.8 Critical |
| Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls. | ||||
| CVE-2016-20027 | 1 Zkteco | 1 Zkbiosecurity | 2026-03-16 | 6.1 Medium |
| ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application. | ||||
| CVE-2025-14287 | 1 Mlflow | 1 Mlflow | 2026-03-16 | N/A |
| A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments. | ||||
| CVE-2017-20218 | 1 Serviio | 1 Serviio Pro | 2026-03-16 | 7.8 High |
| Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot. | ||||
| CVE-2016-20032 | 1 Zkteco | 1 Zkaccess Security System | 2026-03-16 | 7.2 High |
| ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information. | ||||
| CVE-2016-20031 | 1 Zkteco | 1 Zkbiosecurity | 2026-03-16 | 5.5 Medium |
| ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions. | ||||
| CVE-2015-20117 | 1 Next Click Ventures | 1 Realtyscript | 2026-03-16 | 5.3 Medium |
| Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create unauthorized user accounts and administrative users by crafting malicious forms. Attackers can submit hidden form data to /admin/addusers.php and /admin/editadmins.php endpoints to register new users with arbitrary credentials and escalate privileges to SUPERUSER level. | ||||
| CVE-2015-20116 | 1 Next Click Ventures | 1 Realtyscript | 2026-03-16 | 6.1 Medium |
| Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed. | ||||
| CVE-2015-20114 | 1 Next Click Ventuers | 1 Realtyscript | 2026-03-16 | 6.1 Medium |
| Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads in vulnerable parameters to execute code in users' browser sessions within the context of the affected application. | ||||
| CVE-2016-20033 | 1 Wowza | 1 Streaming Engine | 2026-03-16 | 7.8 High |
| Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart. | ||||
| CVE-2026-4105 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2026-03-16 | 6.7 Medium |
| A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system. | ||||
| CVE-2025-15552 | 2026-03-16 | N/A | ||
| Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password. | ||||
| CVE-2025-15554 | 2026-03-16 | N/A | ||
| Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords. | ||||
| CVE-2025-41432 | 2026-03-16 | 5.5 Medium | ||
| in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios. | ||||
| CVE-2025-13460 | 1 Ibm | 1 Aspera Console | 2026-03-16 | 5.3 Medium |
| IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy. | ||||
| CVE-2026-32368 | 2 Delphiknight, Wordpress | 2 Geo To Lat, Wordpress | 2026-03-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19. | ||||
| CVE-2026-32370 | 2 Raratheme, Wordpress | 2 Influencer, Wordpress | 2026-03-16 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Influencer influencer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Influencer: from n/a through <= 1.1.7. | ||||
| CVE-2026-32371 | 2 Rarathemes, Wordpress | 2 Elegant Pink, Wordpress | 2026-03-16 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Elegant Pink elegant-pink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elegant Pink: from n/a through <= 1.3.3. | ||||
| CVE-2026-32372 | 2 Radiustheme, Wordpress | 2 Shopbuilder – Elementor Woocommerce Builder Addons, Wordpress | 2026-03-16 | N/A |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder – Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4. | ||||