Export limit exceeded: 357887 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357887 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (357887 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-48190 | 1 Otrs | 1 Otrs | 2026-06-15 | 3.5 Low |
| An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X | ||||
| CVE-2026-48209 | 1 Otrs | 2 Otrs, Otrs Community Edition | 2026-06-15 | 7.1 High |
| An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected | ||||
| CVE-2026-48191 | 1 Otrs | 1 Otrs | 2026-06-15 | 3.5 Low |
| An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X | ||||
| CVE-2026-48208 | 1 Otrs | 2 Otrs, Otrs Community Edition | 2026-06-15 | 6.5 Medium |
| An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected | ||||
| CVE-2026-50100 | 2026-06-15 | N/A | ||
| Multiple printer drivers provided by Ricoh Company, Ltd. and KONICA MINOLTA JAPAN, INC. contain a privilege escalation vulnerability. If this vulnerability is exploited, an attacker who can log in to a computer running an affected printer driver could elevate privileges by using a specially crafted driver. | ||||
| CVE-2026-5482 | 2026-06-15 | N/A | ||
| Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0 | ||||
| CVE-2026-44188 | 1 Redhat | 1 Ansible Automation Platform | 2026-06-15 | 5.3 Medium |
| A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data. | ||||
| CVE-2026-11860 | 1 Opensolution | 1 Quick.cms | 2026-06-15 | N/A |
| Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable. | ||||
| CVE-2026-8385 | 2 Wordpress, Wp Go Maps | 2 Wordpress, Wp Go Maps | 2026-06-15 | N/A |
| The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields. | ||||
| CVE-2026-5792 | 1 Hedef Media | 1 Related Marketing Cloud (rmc) | 2026-06-15 | 6.5 Medium |
| Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026. | ||||
| CVE-2026-5513 | 2 Ladela, Wordpress | 2 Online Scheduling And Appointment Booking System – Bookly, Wordpress | 2026-06-15 | 7.2 High |
| The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default). | ||||
| CVE-2026-12175 | 1 Codeastro | 1 Student Attendance Management System | 2026-06-15 | 4.7 Medium |
| A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | ||||
| CVE-2026-12190 | 1 Genspark | 1 Ai Workspace App | 2026-06-15 | 5.3 Medium |
| A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-12198 | 1 Microweber | 1 Microweber | 2026-06-15 | 7.3 High |
| A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-12206 | 1 Grit42 | 1 Grit | 2026-06-15 | 6.3 Medium |
| A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-12211 | 1 Intelbras | 1 Invu 7016 Ft | 2026-06-15 | 2.7 Low |
| A flaw has been found in Intelbras iNVU 7016 FT 3.004.00IB000.0.T Build 2025-09-26. This impacts an unknown function of the file /RPC2_Loadfile/syslog/ of the component Web Interface. Executing a manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | ||||
| CVE-2026-12218 | 1 Yealink | 1 Sip-t46u | 2026-06-15 | 8 High |
| A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8386 | 2 Wordpress, Wp Go Maps | 2 Wordpress, Wp Go Maps | 2026-06-15 | N/A |
| The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates. | ||||
| CVE-2026-12223 | 1 Yealink | 1 Sip-t46u | 2026-06-15 | 5.5 Medium |
| A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-12057 | 2026-06-15 | 8.6 High | ||
| When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution. | ||||