Export limit exceeded: 363004 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 363004 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363004 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-38891 2026-07-02 7.5 High
An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.
CVE-2026-55595 1 Imagemagick 1 Imagemagick 2026-07-02 4.7 Medium
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.
CVE-2026-54786 1 Bytecodealliance 1 Wasmtime 2026-07-02 N/A
Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.
CVE-2026-55660 2026-07-02 N/A
Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source and post messages using non-specific target origins, while insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. This issue has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3.
CVE-2026-57361 2 Ays-pro, Wordpress 2 Survey Maker, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Survey Maker <= 5.2.2.5 versions.
CVE-2026-57362 2 Quantumcloud, Wordpress 2 Chatbot, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ChatBot <= 8.3.2 versions.
CVE-2026-57621 2 Arraytics, Wordpress 2 Booktics, Wordpress 2026-07-02 9.8 Critical
Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.
CVE-2026-57670 2 Codepeople, Wordpress 2 Google Maps Cp, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions.
CVE-2026-57671 2 Perfmatters, Wordpress 2 Perfmatters, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions.
CVE-2026-57674 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
CVE-2026-10077 2026-07-02 6.8 Medium
The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.
CVE-2025-69152 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
CVE-2026-27425 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.
CVE-2026-50284 2026-07-02 N/A
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.
CVE-2026-14427 1 Google 1 Chrome 2026-07-02 8.3 High
Heap buffer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-14410 1 Google 1 Chrome 2026-07-02 N/A
Inappropriate implementation in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14411 1 Google 1 Chrome 2026-07-02 9.6 Critical
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14414 1 Google 1 Chrome 2026-07-02 5.3 Medium
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14429 1 Google 1 Chrome 2026-07-02 8.3 High
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-14389 1 Google 1 Chrome 2026-07-02 8.3 High
Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)