Export limit exceeded: 359062 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359062 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39522 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Solene <= 3.4 versions. | ||||
| CVE-2026-39529 | 2026-06-17 | 9.8 Critical | ||
| Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions. | ||||
| CVE-2026-39539 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions. | ||||
| CVE-2026-39547 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Getaway < 1.8 versions. | ||||
| CVE-2026-28576 | 1 Android | 1 Android | 2026-06-17 | N/A |
| In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-39548 | 2026-06-17 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in MagOne <= 9.0 versions. | ||||
| CVE-2026-39549 | 2 Elated-themes, Wordpress | 2 Aperitif, Wordpress | 2026-06-17 | 8.1 High |
| Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions. | ||||
| CVE-2026-39554 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions. | ||||
| CVE-2026-28587 | 1 Google | 1 Android | 2026-06-17 | N/A |
| In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-39557 | 2 Elated-themes, Wordpress | 2 Neobeat, Wordpress | 2026-06-17 | 8.1 High |
| Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions. | ||||
| CVE-2026-39567 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions. | ||||
| CVE-2026-39568 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions. | ||||
| CVE-2026-39577 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions. | ||||
| CVE-2026-39578 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Valiance <= 1.2 versions. | ||||
| CVE-2026-39580 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions. | ||||
| CVE-2026-40736 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. | ||||
| CVE-2026-40739 | 2 Mikado-themes, Wordpress | 2 Luxedrive, Wordpress | 2026-06-17 | 8.1 High |
| Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions. | ||||
| CVE-2026-40751 | 2026-06-17 | 8.1 High | ||
| Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions. | ||||
| CVE-2026-12165 | 2 Contest-gallery, Wordpress | 2 Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe, Wordpress | 2026-06-17 | 8.8 High |
| The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator. | ||||
| CVE-2026-40754 | 2 Elated-themes, Wordpress | 2 Roisin, Wordpress | 2026-06-17 | 8.1 High |
| Unauthenticated PHP Object Injection in Roisin <= 1.4 versions. | ||||