Total CVEs

138,940

Critical Severity

3,615

High Severity

12,982

Last 7 Days

1,022
Quick preset (or use dates below)
Clear Filters
Showing 2,921 - 2,940 of 12,982 CVEs
CVE-2025-52747 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.

Vendor: Jthemes
Product: Themebox - Digital Products Ecommerce
Published: May 27, 2026
Source: NVD
CVE-2025-30028 HIGH - 8.6

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

Vendor: Synology
Product: Active Backup for Business
Published: May 27, 2026
Source: NVD
CVE-2025-22741 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3.

Vendor: RiceTheme
Product: Felan Framework
Published: May 27, 2026
Source: NVD
CVE-2025-14713 HIGH - 7.5

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.

Vendor: Synology
Product: C2 Identity Edge Server
Published: May 27, 2026
Source: NVD
CVE-2025-13392 HIGH - 8.1

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).

Vendor: Synology
Product: DiskStation Manager (DSM)
Published: May 27, 2026
Source: NVD
CVE-2023-52945 HIGH - 7.8

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors.

Vendor: Synology
Product: BeeDrive for desktop
Published: May 27, 2026
Source: NVD
CVE-2026-8832 HIGH - 8.8

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capa...

Published: May 27, 2026
Source: NVD
CVE-2026-8143 HIGH - 7.2

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This...

Published: May 27, 2026
Source: NVD
CVE-2026-6169 HIGH - 7.2

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval...

Published: May 27, 2026
Source: NVD
CVE-2026-40819 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40818 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40817 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40816 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40815 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40814 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40813 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40812 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40811 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40810 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-3375 HIGH - 7.2

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notification...

Published: May 27, 2026
Source: NVD