Export limit exceeded: 10028 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10028 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20704 | 1 Elecom | 2 Wrc-x1500gs-b, Wrc-x1500gsa-b | 2026-05-12 | N/A |
| Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | ||||
| CVE-2026-42286 | 1 Emlog | 1 Emlog | 2026-05-12 | N/A |
| Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11. | ||||
| CVE-2021-47946 | 1 Opencart | 1 Opencart | 2026-05-12 | 5.3 Medium |
| OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts. | ||||
| CVE-2026-28950 | 1 Apple | 3 Ios And Ipados, Ipados, Iphone Os | 2026-05-11 | 6.2 Medium |
| A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2, iPadOS 17.7.11. Notifications marked for deletion could be unexpectedly retained on the device. | ||||
| CVE-2026-43877 | 1 Wwbn | 1 Avideo | 2026-05-11 | 5.4 Medium |
| WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix. | ||||
| CVE-2026-42274 | 1 Dadrus | 1 Heimdall | 2026-05-11 | N/A |
| Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | ||||
| CVE-2026-8194 | 1 Osticket | 1 Osticket | 2026-05-11 | 4.3 Medium |
| A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | ||||
| CVE-2021-47953 | 1 Opencart | 1 Opencart | 2026-05-11 | 4.3 Medium |
| OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts. | ||||
| CVE-2026-40948 | 1 Apache | 2 Airflow, Apache-airflow-providers-keycloak | 2026-05-11 | 5.4 Medium |
| The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later. | ||||
| CVE-2022-50955 | 3 Curtain, Curtain Project, Wordpress | 3 Curtain, Curtain, Wordpress | 2026-05-11 | 4.3 Medium |
| WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page with curtain parameters to toggle maintenance mode without valid nonce validation. | ||||
| CVE-2026-34760 | 2 Vllm, Vllm-project | 2 Vllm, Vllm | 2026-05-11 | 5.9 Medium |
| vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0. | ||||
| CVE-2026-4984 | 1 Botpress | 1 Botpress | 2026-05-10 | 8.2 High |
| The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account. | ||||
| CVE-2026-5791 | 1 Divvydrive | 1 Divvydrive | 2026-05-10 | 6.5 Medium |
| Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | ||||
| CVE-2025-31970 | 2 Hcl, Hcltech | 2 Dfxanalytics, Dfxanalytics | 2026-05-07 | 5.3 Medium |
| HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | ||||
| CVE-2025-31951 | 1 Hcl | 1 Bigfix Runbookai | 2026-05-07 | 8.8 High |
| HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution. | ||||
| CVE-2026-28201 | 2 Lfnovo, Open Notebook | 2 Open-notebook, Open Notebook | 2026-05-07 | 7.8 High |
| An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible. | ||||
| CVE-2026-27415 | 2 Pluginus.net, Wordpress | 2 Bear, Wordpress | 2026-05-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5. | ||||
| CVE-2025-65857 | 1 Xiongmaitech | 2 Xm530v200 X6-weq 8m, Xm530v200 X6-weq 8m Firmware | 2026-05-07 | 7.5 High |
| An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. | ||||
| CVE-2026-3911 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-05-07 | 2.7 Low |
| A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. | ||||
| CVE-2026-20034 | 1 Cisco | 1 Unity Connection | 2026-05-07 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. | ||||