Export limit exceeded: 84349 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (84349 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53833 | 2 Openclaw, Qqbot | 2 Openclaw, Qqbot | 2026-06-16 | 7.7 High |
| OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements. | ||||
| CVE-2026-46655 | 2026-06-16 | 7.8 High | ||
| A flaw was found in virtio-win. A low-integrity process can issue an IOCTL request to viosock.sys!VIOSockSelect with a maliciously crafted request that causes an integer overflow. This allows the process to circumvent bounds checking, resulting in a heap overflow in the NonPagedPool kernel heap. The flaw could be exploited to escalate privileges on Windows systems running this driver. | ||||
| CVE-2026-45437 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | ||||
| CVE-2026-42655 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions. | ||||
| CVE-2026-42411 | 2026-06-15 | 8.1 High | ||
| Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions. | ||||
| CVE-2026-40785 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions. | ||||
| CVE-2026-39450 | 2026-06-15 | 7.1 High | ||
| Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||||
| CVE-2026-25425 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. | ||||
| CVE-2025-68840 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||||
| CVE-2026-52722 | 1 Redhat | 1 Enterprise Linux | 2026-06-15 | 7.1 High |
| A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. | ||||
| CVE-2016-20084 | 2026-06-15 | 7.2 High | ||
| WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface. | ||||
| CVE-2016-20073 | 2026-06-15 | 8.2 High | ||
| Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract sensitive database information including WordPress terms and configuration data. | ||||
| CVE-2026-49061 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions. | ||||
| CVE-2026-12200 | 1 Ritlabs | 1 Tinyweb Server | 2026-06-15 | 7.3 High |
| A security vulnerability has been detected in Ritlabs TinyWeb Server up to 1.94 on Win32. This impacts an unknown function in the library libeay32.dll.html of the component Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-12191 | 1 Comma Ai | 1 Openpilot | 2026-06-15 | 7.8 High |
| A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-49070 | 2026-06-15 | 7.5 High | ||
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. | ||||
| CVE-2026-53832 | 1 Openclaw | 1 Openclaw | 2026-06-15 | 7.7 High |
| OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges. | ||||
| CVE-2026-53821 | 1 Openclaw | 1 Openclaw | 2026-06-15 | 8.8 High |
| OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs. | ||||
| CVE-2026-52702 | 2026-06-15 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | ||||
| CVE-2026-42365 | 2 Geovision, Geovision Inc. | 5 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 2 more | 2026-06-15 | 8.6 High |
| A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | ||||