Export limit exceeded: 363826 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363826 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-20909 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 5.3 Medium
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
CVE-2026-22547 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.1 Critical
Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.
CVE-2026-22874 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.6 Critical
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
CVE-2026-24451 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
CVE-2026-24690 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
CVE-2026-25038 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea 1.26.2 allows unauthorized users to access labels of private organizations.
CVE-2026-27790 2026-07-07 2.7 Low
Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior.
CVE-2026-27844 2026-07-07 2.7 Low
Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service.  Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior.
CVE-2026-57867 2026-07-07 N/A
MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords (OTP) to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3.
CVE-2026-57868 2026-07-07 N/A
MicroRealEstate is affected by broken object-level access controls in PDF generator functionality. This issue affects MicroRealEstate: through 1.0.0-alpha3.
CVE-2026-57870 2026-07-07 N/A
Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3.
CVE-2026-10834 2026-07-07 N/A
The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.
CVE-2026-12375 2026-07-07 9.8 Critical
The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.
CVE-2026-4375 2026-07-07 9 Critical
The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnerability where unclosed extensions from wordpress.org can be installed by unauthorized users.
CVE-2026-59709 2 Ghostfol, Ghostfolio 2 Ghostfolio, Ghostfolio 2026-07-07 4.3 Medium
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.
CVE-2026-25712 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
CVE-2026-7774 1 Python 1 Cpython 2026-07-07 6.5 Medium
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
CVE-2026-25714 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 4.3 Medium
Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941.
CVE-2026-25718 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.1 Critical
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.
CVE-2026-25779 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 6.1 Medium
Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values.