Export limit exceeded: 329868 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (329868 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0750 | 2 Drupal, Verifone | 2 Drupal Commerce Paybox, Commerce Paybox | 2026-03-09 | 7.5 High |
| Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. | ||||
| CVE-2025-40926 | 1 Kazeburo | 2 Plack::middleware::session::simple, Plack\ | 2026-03-09 | 9.8 Critical |
| Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923. | ||||
| CVE-2025-46691 | 1 Dell | 2 Premiercolor, Premiercolor Panel Driver | 2026-03-09 | 7.8 High |
| Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | ||||
| CVE-2025-15344 | 1 Tanium | 2 Asset, Service Asset | 2026-03-09 | 6.3 Medium |
| Tanium addressed a SQL injection vulnerability in Asset. | ||||
| CVE-2026-3724 | 2 Pamzey, Sourcecodester | 2 Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System | 2026-03-09 | 6.3 Medium |
| A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. This impacts an unknown function of the file /checkin.php. This manipulation of the argument patient_id causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-25067 | 1 Smartertools | 1 Smartermail | 2026-03-09 | 5.3 Medium |
| SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication. | ||||
| CVE-2026-2999 | 2 Changing, Changingtec | 2 Idexpert Windows Logon Agent, Idexpert | 2026-03-09 | 9.8 Critical |
| IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary executable files from a remote source and execute them. | ||||
| CVE-2026-3000 | 2 Changing, Changingtec | 2 Idexpert Windows Logon Agent, Idexpert | 2026-03-09 | 9.8 Critical |
| IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary DLL files from a remote source and execute them. | ||||
| CVE-2025-7015 | 1 Akinsoft | 1 Qr Menu | 2026-03-09 | 5.7 Medium |
| Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. | ||||
| CVE-2026-1469 | 2 Nova-a, Rle Nova | 2 Planmanager, Planmanager | 2026-03-09 | 5.4 Medium |
| Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the ‘comment’ and ‘brand’ parameters in ‘/index.php’. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | ||||
| CVE-2026-3422 | 2 E-excellence, Edetw | 2 U-office Force, U-office Force | 2026-03-09 | 9.8 Critical |
| U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content. | ||||
| CVE-2026-27383 | 2 Radiustheme, Wordpress | 2 Metro, Wordpress | 2026-03-09 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13. | ||||
| CVE-2026-27337 | 2 Ancorathemes, Wordpress | 2 Chronicle - Lifestyle Magazine & Blog Wordpress Theme, Wordpress | 2026-03-09 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through <= 1.0. | ||||
| CVE-2026-27335 | 2 Ancorathemes, Wordpress | 2 Ekoterra - Nonprofit, Green Energy & Ecology Theme, Wordpress | 2026-03-09 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0. | ||||
| CVE-2026-27098 | 2 Axiomthemes, Wordpress | 2 Au Pair Agency - Babysitting & Nanny Theme, Wordpress | 2026-03-09 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2. | ||||
| CVE-2026-24963 | 2 Ameliabooking, Wordpress | 2 Amelia, Wordpress | 2026-03-09 | 7.2 High |
| Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooking allows Privilege Escalation.This issue affects Amelia: from n/a through <= 1.2.38. | ||||
| CVE-2026-24385 | 2 Gerritvanaaken, Wordpress | 2 Podlove Web Player, Wordpress | 2026-03-09 | 7.5 High |
| Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1. | ||||
| CVE-2026-23801 | 2 Fuelthemes, Wordpress | 2 The Issue, Wordpress | 2026-03-09 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11. | ||||
| CVE-2025-14769 | 2026-03-09 | 7.5 High | ||
| In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass. | ||||
| CVE-2026-24400 | 1 Assertj | 1 Assertj | 2026-03-09 | 9.1 Critical |
| AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. | ||||