Export limit exceeded: 339542 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339542 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4587 | 2026-03-23 | 3.7 Low | ||
| A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2019-25555 | 1 Pixarra | 1 Twistedbrush Pro Studio | 2026-03-23 | 6.2 Medium |
| TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability in the Script Recorder component that allows local attackers to crash the application by supplying an excessively large buffer. Attackers can paste a malicious string containing 500,000 characters into the Description field of the Script Recorder dialog to trigger an application crash. | ||||
| CVE-2019-25587 | 1 Bpftpserver | 1 Bulletproof Ftp Server | 2026-03-23 | 6.2 Medium |
| BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration. | ||||
| CVE-2019-25588 | 1 Bpftpserver | 1 Bulletproof Ftp Server | 2026-03-23 | 6.2 Medium |
| BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked. | ||||
| CVE-2019-25591 | 1 Nsasoft | 1 Nsauditor Dnss Domain Name Search Software | 2026-03-23 | 6.2 Medium |
| DNSS Domain Name Search Software 2.1.8 contains a buffer overflow vulnerability in the registration code input field that allows local attackers to crash the application by submitting an excessively long string. Attackers can trigger a denial of service by pasting a malicious registration code containing 300 repeated characters into the Name/Key field via the Register menu option. | ||||
| CVE-2019-25593 | 1 Jetaudio | 2 Jetaudio, Jetcast Server | 2026-03-23 | 5.5 Medium |
| jetCast Server 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Log directory configuration field. Attackers can paste a buffer of 5000 characters into the Log directory input, then click Start to trigger a crash that terminates the server process. | ||||
| CVE-2019-25597 | 1 Nsauditor | 1 Nsauditor | 2026-03-23 | 6.2 Medium |
| NSauditor 3.1.2.0 contains a buffer overflow vulnerability in the SNMP Auditor Community field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a large payload into the Community field and trigger the Walk function to cause a denial of service condition. | ||||
| CVE-2019-25609 | 1 Jetaudio | 1 Jetaudio | 2026-03-23 | 8.4 High |
| JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration field that allows local attackers to overwrite structured exception handling pointers. Attackers can inject alphanumeric encoded shellcode through the Log Directory field to trigger an SEH exception handler and execute arbitrary code with application privileges. | ||||
| CVE-2019-25615 | 1 Lavavosoftware | 1 Lavavo Cd Ripper | 2026-03-23 | 8.4 High |
| Lavavo CD Ripper 4.20 contains a structured exception handling (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field. Attackers can craft a payload with controlled buffer data, NSEH jump instructions, and SEH handler addresses to trigger code execution and establish a bind shell on port 3110. | ||||
| CVE-2025-10679 | 2 Reviewx, Wordpress | 2 Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema, Wordpress | 2026-03-23 | 7.3 High |
| The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration. | ||||
| CVE-2025-13997 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder, Wordpress | 2026-03-23 | 5.3 Medium |
| The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed | ||||
| CVE-2026-1969 | 2 Themerex, Wordpress | 2 Addons, Wordpress | 2026-03-23 | 5.3 Medium |
| The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448 | ||||
| CVE-2026-2580 | 2 Flippercode, Wordpress | 3 Google Map, Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters, Wordpress | 2026-03-23 | 7.5 High |
| The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-33319 | 1 Wwbn | 1 Avideo | 2026-03-23 | 5.9 Medium |
| WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue. | ||||
| CVE-2026-4574 | 1 Sourcecodester | 1 Simple E-learning System | 2026-03-23 | 6.3 Medium |
| A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of the component User Profile Update Handler. The manipulation of the argument firstName results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2026-4579 | 1 Code-projects | 1 Simple Laundry System | 2026-03-23 | 7.3 High |
| A vulnerability was identified in code-projects Simple Laundry System 1.0. This affects an unknown function of the file /viewdetail.php of the component Parameters Handler. The manipulation of the argument serviceId leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2026-4582 | 2026-03-23 | 5 Medium | ||
| A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the local network. Attacks of this nature are highly complex. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data. | ||||
| CVE-2026-4606 | 1 Geovision | 1 Gv-edge Recording Manager | 2026-03-23 | N/A |
| GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system. During installation, ERM creates a Windows service that runs under the LocalSystem account. When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user. Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories. Any ERM function invoking Windows file open/save dialogs exposes the same risk. This vulnerability allows local privilege escalation and may result in full system compromise. | ||||
| CVE-2026-4564 | 2 Ruoyi, Yangzongzhuan | 2 Ruoyi, Ruoyi | 2026-03-23 | 4.7 Medium |
| A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-52636 | 1 Hcltech | 1 Aion | 2026-03-23 | 1.8 Low |
| HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios. | ||||