Export limit exceeded: 339542 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339542 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4540 | 1 Projectworlds | 1 Online Notes Sharing Platform | 2026-03-23 | 7.3 High |
| A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | ||||
| CVE-2026-4549 | 1 Mickasmt | 1 Next-saas-stripe-starter | 2026-03-23 | 3.1 Low |
| A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult. | ||||
| CVE-2019-25599 | 1 Nsauditor | 1 Backup Key Recovery | 2026-03-23 | 6.2 Medium |
| Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form. | ||||
| CVE-2019-25600 | 1 Uvnc | 1 Ultravnc Viewer | 2026-03-23 | 6.5 Medium |
| UltraVNC Viewer 1.2.2.4 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized string to the VNC Server input field. Attackers can paste a malicious string containing 256 repeated characters into the VNC Server field and click Connect to trigger a buffer overflow that crashes the viewer. | ||||
| CVE-2026-4554 | 1 Tenda | 2 F453, F453 Firmware | 2026-03-23 | 6.3 Medium |
| A security flaw has been discovered in Tenda F453 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-33293 | 1 Wwbn | 1 Avideo | 2026-03-23 | 8.1 High |
| WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue. | ||||
| CVE-2026-33294 | 1 Wwbn | 1 Avideo | 2026-03-23 | 5 Medium |
| WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue. | ||||
| CVE-2026-33295 | 1 Wwbn | 1 Avideo | 2026-03-23 | N/A |
| WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue. | ||||
| CVE-2026-4568 | 1 Sourcecodester | 1 Sales And Inventory System | 2026-03-23 | 6.3 Medium |
| A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /update_supplier.php of the component HTTP GET Request Handler. The manipulation of the argument sid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. Several companies clearly confirm that VulDB is the primary source for best vulnerability data. | ||||
| CVE-2026-4569 | 1 Sourcecodester | 1 Sales And Inventory System | 2026-03-23 | 6.3 Medium |
| A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /view_category.php of the component HTTP POST Request Handler. This manipulation of the argument searchtxt causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2019-25557 | 1 Pixarra | 1 Twistedbrush Pro Studio | 2026-03-23 | 6.2 Medium |
| TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability that allows local attackers to crash the application by importing a malformed .srp script file. Attackers can create a .srp file containing an excessively large buffer and import it through the Script Player interface to trigger an application crash. | ||||
| CVE-2019-25564 | 1 Uvnc | 2 Pchelpwarev2, Ultravnc | 2026-03-23 | 5.5 Medium |
| PCHelpWareV2 1.0.0.5 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Group field. Attackers can paste a buffer overflow payload into the Group property field and click Ok to trigger an application crash. | ||||
| CVE-2026-4572 | 1 Sourcecodester | 1 Sales And Inventory System | 2026-03-23 | 6.3 Medium |
| A weakness has been identified in SourceCodester Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /view_product.php of the component HTTP POST Request Handler. Executing a manipulation of the argument searchtxt can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2025-6229 | 2 Shaosina, Wordpress | 2 Sina Extension For Elementor, Wordpress | 2026-03-23 | 6.4 Medium |
| The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Fancy Text Widget` And `Countdown Widget` DOM attributes in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4578 | 1 Code-projects | 1 Exam Form Submission | 2026-03-23 | 2.4 Low |
| A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-4628 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2026-03-23 | 4.3 Medium |
| A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. | ||||
| CVE-2019-25544 | 1 Pidgin | 1 Pidgin | 2026-03-23 | 6.2 Medium |
| Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable. | ||||
| CVE-2019-25549 | 1 Verypdf | 1 Verypdf | 2026-03-23 | 6.2 Medium |
| VeryPDF PCL Converter 2.7 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long password string. Attackers can trigger a buffer overflow by entering a 3000-byte password in the PDF Security encryption fields, causing the application to crash when processing PCL files. | ||||
| CVE-2019-25567 | 1 Valentina-db | 1 Valentina Studio | 2026-03-23 | 6.2 Medium |
| Valentina Studio 9.0.5 Linux contains a buffer overflow vulnerability in the Host field of the connection dialog that allows local attackers to crash the application by supplying an oversized input string. Attackers can trigger the vulnerability by pasting a crafted buffer exceeding 264 bytes into the Host field during server connection attempts, causing a denial of service. | ||||
| CVE-2019-25569 | 1 Realterm | 1 Realterm: Serial Terminal | 2026-03-23 | 6.2 Medium |
| RealTerm Serial Terminal 2.0.0.70 contains a stack-based buffer overflow vulnerability in the Echo Port field that allows local attackers to crash the application by triggering a structured exception handler (SEH) chain corruption. Attackers can craft a malicious input string with 268 bytes of padding followed by SEH overwrite values and paste it into the Port field to cause denial of service. | ||||