Export limit exceeded: 363826 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363826 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20909 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 5.3 Medium |
| Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries. | ||||
| CVE-2026-22547 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 9.1 Critical |
| Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values. | ||||
| CVE-2026-22874 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 9.6 Critical |
| Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering. | ||||
| CVE-2026-24451 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 7.5 High |
| Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized. | ||||
| CVE-2026-24690 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 7.5 High |
| Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches. | ||||
| CVE-2026-25038 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 7.5 High |
| Gitea 1.26.2 allows unauthorized users to access labels of private organizations. | ||||
| CVE-2026-27790 | 2026-07-07 | 2.7 Low | ||
| Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior. | ||||
| CVE-2026-27844 | 2026-07-07 | 2.7 Low | ||
| Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior. | ||||
| CVE-2026-57867 | 2026-07-07 | N/A | ||
| MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords (OTP) to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3. | ||||
| CVE-2026-57868 | 2026-07-07 | N/A | ||
| MicroRealEstate is affected by broken object-level access controls in PDF generator functionality. This issue affects MicroRealEstate: through 1.0.0-alpha3. | ||||
| CVE-2026-57870 | 2026-07-07 | N/A | ||
| Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3. | ||||
| CVE-2026-10834 | 2026-07-07 | N/A | ||
| The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site. | ||||
| CVE-2026-12375 | 2026-07-07 | 9.8 Critical | ||
| The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers. | ||||
| CVE-2026-4375 | 2026-07-07 | 9 Critical | ||
| The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnerability where unclosed extensions from wordpress.org can be installed by unauthorized users. | ||||
| CVE-2026-59709 | 2 Ghostfol, Ghostfolio | 2 Ghostfolio, Ghostfolio | 2026-07-07 | 4.3 Medium |
| Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports. | ||||
| CVE-2026-25712 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 7.5 High |
| Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations. | ||||
| CVE-2026-7774 | 1 Python | 1 Cpython | 2026-07-07 | 6.5 Medium |
| tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. | ||||
| CVE-2026-25714 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 4.3 Medium |
| Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941. | ||||
| CVE-2026-25718 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 9.1 Critical |
| Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths. | ||||
| CVE-2026-25779 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-07 | 6.1 Medium |
| Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values. | ||||