Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,811
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,341 - 14,360 of 38,803 CVEs
CVE-2021-47938 HIGH - 8.8

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/ad...

Vendor: Impresscms
Product: ImpressCMS
Published: May 10, 2026
Source: NVD
CVE-2021-47937 HIGH - 8.8

e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to ...

Vendor: E107
Product: e107 CMS
Published: May 10, 2026
Source: NVD
CVE-2021-47936 CRITICAL - 9.8

OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system comman...

Vendor: Opencats
Product: OpenCATS
Published: May 10, 2026
Source: NVD
CVE-2021-47935 HIGH - 8.8

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with ...

Vendor: Sentry
Product: Sentry
Published: May 10, 2026
Source: NVD
CVE-2021-47933 CRITICAL - 9.8

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code executi...

Vendor: mstore
Product: MStore API
Published: May 10, 2026
Source: NVD
CVE-2021-47932 CRITICAL - 9.8

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to adm...

Vendor: thecartpress
Product: TheCartPress
Published: May 10, 2026
Source: NVD
CVE-2021-47931 MEDIUM - 6.4

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary Ja...

Vendor: Exponentcms
Product: Exponent CMS
Published: May 10, 2026
Source: NVD
CVE-2021-47930 HIGH - 8.2

Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' fi...

Vendor: Balbooa
Product: Balbooa Joomla Forms Builder
Published: May 10, 2026
Source: NVD
CVE-2021-47929 MEDIUM - 6.4

Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is...

Vendor: Filterable-Portfolio
Product: Filterable Portfolio Gallery
Published: May 10, 2026
Source: NVD
CVE-2021-47928 HIGH - 8.2

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techni...

Vendor: opencartextensions
Product: Extension TMD Vendor System
Published: May 10, 2026
Source: NVD
CVE-2021-47927 MEDIUM - 6.4

WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScri...

Vendor: Wpsymposiumpro
Product: WP Symposium Pro
Published: May 10, 2026
Source: NVD
CVE-2021-47926 MEDIUM - 6.4

Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in us...

Vendor: Form2Email
Product: Contact Form to Email
Published: May 10, 2026
Source: NVD
CVE-2021-47925 MEDIUM - 6.4

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachme...

Vendor: Cmdbuild
Product: CMDBuild
Published: May 10, 2026
Source: NVD
CVE-2021-47924 MEDIUM - 6.4

Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code w...

Vendor: Etoilewebdesign
Product: Ultimate Product Catalog
Published: May 10, 2026
Source: NVD
CVE-2021-47923 CRITICAL - 9.8

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access...

Vendor: Opencart
Product: opencart
Published: May 10, 2026
Source: NVD
CVE-2021-47922 MEDIUM - 6.4

Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of use...

Vendor: Soliloquywp
Product: Slider by Soliloquy
Published: May 10, 2026
Source: NVD
CVE-2021-47910 MEDIUM - 6.4

AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that...

Vendor: Accesspressthemes
Product: AccessPress Social Icons
Published: May 10, 2026
Source: NVD
CVE-2021-47907 MEDIUM - 6.4

Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers o...

Vendor: Rocketsoft
Product: Rocket LMS
Published: May 10, 2026
Source: NVD
CVE-2026-8244 MEDIUM - 5.3

A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit i...

Published: May 10, 2026
Source: NVD
CVE-2026-8243 MEDIUM - 5.3

A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was conta...

Published: May 10, 2026
Source: NVD