Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,313
Quick preset (or use dates below)
Clear Filters
Showing 5,121 - 5,140 of 145,743 CVEs

Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victimโ€™s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. Th...

Published: Jun 30, 2026
Source: NVD

HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', ...

Published: Jun 30, 2026
Source: NVD

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CP...

Vendor: juliangruber
Product: brace-expansion
Published: Jun 30, 2026
Source: NVD
CVE-2026-12610 MEDIUM - 6.4

A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service ...

Vendor: fedoraproject
Product: sssd
Published: Jun 30, 2026
Source: NVD

Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline.ย  The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction. Be...

Vendor: Raytha
Product: Raytha
Published: Jun 30, 2026
Source: NVD

PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.

Vendor: Hitachi Energy
Product: PROMOD V
Published: Jun 30, 2026
Source: NVD
CVE-2025-7406 HIGH - 7.8

Nokia MantaRay NM is vulnerable to a sudo privilege escalation vulnerability where a local attacker possessing administrative (local admin) privileges can escalate to full root privileges on the host. Successful exploitation results in root-level access to the filesystem and the ability to execute a...

Published: Jun 30, 2026
Source: NVD
CVE-2025-24816 MEDIUM - 6.5

Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges.

Vendor: Nokia
Product: MantaRay NM
Published: Jun 30, 2026
Source: NVD
CVE-2025-24815 HIGH - 7.8

Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.

Vendor: Nokia
Product: MantaRay NM
Published: Jun 30, 2026
Source: NVD

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400...

Vendor: SamVerschueren
Product: decode-uri-component
Published: Jun 30, 2026
Source: NVD

The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.

Vendor: deltaww
Product: DTMSoft
Published: Jun 30, 2026
Source: NVD
CVE-2026-9576 MEDIUM - 4.9

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from...

Published: Jun 30, 2026
Source: NVD
CVE-2026-56809 MEDIUM - 6.1

Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses Web Image Monitor.

Vendor: Ricoh Company, Ltd.
Product: Multiple laser printers and MFPs which implement Ricoh Web Image Monitor
Published: Jun 30, 2026
Source: NVD
CVE-2026-56808 HIGH - 7.2

DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to the web management console of the affected product.

Vendor: AVTECH Security Corporation
Product: DGM3103SCT
Published: Jun 30, 2026
Source: NVD
CVE-2026-56137 HIGH - 7.8

RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

Vendor: Gotcha Gotcha Games Inc.
Product: RPG MAKER MV, RPG MAKER MZ
Published: Jun 30, 2026
Source: NVD
CVE-2026-14164 HIGH - 7.5

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free ...

Vendor: Red Hat
Product: Red Hat Hardened Images, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4
Published: Jun 30, 2026
Source: NVD

Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.

Vendor: deltaww
Product: DVP-12SE
Published: Jun 30, 2026
Source: NVD

Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.

Vendor: deltaww
Product: DVP-12SE
Published: Jun 30, 2026
Source: NVD
CVE-2026-12240 HIGH - 8.0

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete a...

Vendor: qlstudio
Product: Export User Data
Published: Jun 30, 2026
Source: NVD
CVE-2026-11590 HIGH - 8.6

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

Vendor: Unknown
Product: WP Support Plus Responsive Ticket System
Published: Jun 30, 2026
Source: NVD