VYPR

CVEs

345,217 total · page 105 of 6,905

  • CVE-2026-12975impJun 10, 2026
    risk 0.55cvss 8.5epss 0.00

    Apicurio/apicurio-registry: apicurio-registry: Unhardened SAXParser in content-type detection leads to blind XXE / SSRF / billion-laughs DoS

  • CVE-2026-12992impJun 10, 2026
    risk 0.48cvss 7.4epss 0.00

    Apicurio/apicurio-registry: apicurio-registry: SSRF via wsdl4j import dereference in WSDL FULL validation

  • CVE-2026-12993modJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Apicurio/apicurio-registry: apicurio-registry: XML entity-expansion denial of service via internal DTD subset

  • CVE-2026-24067HigJun 10, 2026
    risk 0.55cvss 8.4epss 0.00

    Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's…

  • CVE-2026-24066HigJun 10, 2026
    risk 0.55cvss 8.4epss 0.00

    Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU…

  • CVE-2026-11859LowJun 10, 2026
    risk 0.13cvss epss 0.00

    An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142…

  • CVE-2026-3018HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.01

    The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2026-11853MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine…

  • CVE-2026-11852MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see…

  • CVE-2025-6254CriJun 10, 2026
    risk 0.64cvss 9.8epss 0.00

    The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for…

  • CVE-2026-9019MedJun 10, 2026
    risk 0.42cvss 6.4epss 0.00

    The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping.…

  • CVE-2026-8853MedJun 10, 2026
    risk 0.29cvss 4.4epss 0.00

    The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level…

  • CVE-2026-8613MedJun 10, 2026
    risk 0.42cvss 6.4epss 0.00

    The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2026-10721HigJun 10, 2026
    risk 0.55cvss epss 0.00

    Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the…

  • CVE-2026-9067CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users…

  • CVE-2026-9060LowJun 10, 2026
    risk 0.23cvss 3.5epss 0.00

    The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site…

  • CVE-2026-8071HigJun 10, 2026
    risk 0.50cvss 8.8epss 0.00

    The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute…

  • CVE-2026-3326HigJun 10, 2026
    risk 0.56cvss 8.6epss 0.01

    The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

  • CVE-2026-29116HigJun 10, 2026
    risk 0.57cvss epss 0.00

    A vulnerability has been found in some Dahua products could allow an unauthenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.

  • CVE-2026-29115MedJun 10, 2026
    risk 0.45cvss epss 0.00

    A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.

  • CVE-2026-29114LowJun 10, 2026
    risk 0.15cvss epss 0.00

    A vulnerability has been found in some Dahua products. An attacker may obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust…

  • CVE-2026-11815MedJun 10, 2026
    risk 0.34cvss epss 0.00

    An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.

  • CVE-2026-10846HigJun 10, 2026
    risk 0.53cvss epss 0.00

    NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is…

  • CVE-2026-26241CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

  • CVE-2026-26240CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

  • CVE-2026-11837HigJun 10, 2026
    risk 0.47cvss 7.3epss 0.00

    A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage…

  • CVE-2025-8444MedJun 10, 2026
    risk 0.42cvss 6.4epss 0.00

    The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and…

  • CVE-2026-26239HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5…

  • CVE-2026-26237HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and…

  • CVE-2026-24724HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File…

  • CVE-2026-24720MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type…

  • CVE-2026-24719HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.01

    A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the…

  • CVE-2026-24717MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the…

  • CVE-2026-24716HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the…

  • CVE-2026-22899MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version:…

  • CVE-2026-22893HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.01

    A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the…

  • CVE-2025-66281HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions:…

  • CVE-2025-66280HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.00

    An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the…

  • CVE-2025-66279HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.01

    A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the…

  • CVE-2025-66273HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.01

    A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the…

  • CVE-2025-62851MedJun 10, 2026
    risk 0.29cvss 4.4epss 0.00

    A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the…

  • CVE-2025-62850HigJun 10, 2026
    risk 0.47cvss 7.2epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the…

  • CVE-2025-66276CriJun 10, 2026
    risk 0.64cvss 9.8epss 0.00

    QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later

  • CVE-2025-59382LowJun 10, 2026
    risk 0.08cvss epss 0.00

    QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version:

  • CVE-2025-58468MedJun 10, 2026
    risk 0.33cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version:…

  • CVE-2026-46532MedJun 10, 2026
    risk 0.23cvss 4.6epss 0.00

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, an out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser (avrc_pars_vendor_cmd() in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c).…

  • CVE-2026-45542HigJun 10, 2026
    risk 0.39cvss 7.1epss 0.00

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler…

  • CVE-2026-45541HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied…

  • CVE-2026-45329HigJun 10, 2026
    risk 0.39cvss 7.1epss 0.00

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only some of the caller-supplied pointer arguments, leaving input pointer…

  • CVE-2026-45328CriJun 10, 2026
    risk 0.53cvss 9.3epss 0.00

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to…