VYPR

CVEs

38,009 total · page 8 of 761

  • CVE-2026-50874HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.01

    An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

  • CVE-2026-48818higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the…

  • CVE-2026-50870HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

  • CVE-2026-49954HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.01

    Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute.…

  • CVE-2026-47835HigJun 15, 2026
    risk 0.49cvss 8.6epss 0.00

    In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected…

  • CVE-2026-41708HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX…

  • CVE-2026-39118HigJun 15, 2026
    risk 0.55cvss 8.4epss 0.00

    An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.

  • CVE-2026-39007HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.

  • CVE-2026-36670HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.

  • CVE-2026-36213HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.

  • CVE-2025-68713HigJun 15, 2026
    risk 0.52cvss 8.0epss 0.00

    An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files…

  • CVE-2025-56814HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.

  • CVE-2026-54271higJun 15, 2026
    risk 0.38cvss epss 0.00

    ## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common…

  • CVE-2026-47777HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could…

  • CVE-2026-48712higJun 15, 2026
    risk 0.38cvss epss 0.00

    ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply…

  • CVE-2026-54264higJun 15, 2026
    risk 0.39cvss epss 0.00

    An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker…

  • CVE-2026-54268higJun 15, 2026
    risk 0.39cvss epss 0.00

    A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When…

  • CVE-2026-54266higJun 15, 2026
    risk 0.39cvss epss 0.00

    Angular's `HttpTransferCache` caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in `TransferState` using a cache key…

  • CVE-2026-50556higJun 15, 2026
    risk 0.38cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of `` elements. When rendering dynamic text content inside a `` element via template bindings (such as `{{…

  • CVE-2026-50555higJun 15, 2026
    risk 0.38cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of raw-text elements (such as ``, ``, and ``). `domino` supports escaping raw-text elements during…

  • CVE-2026-53571higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite…

  • CVE-2026-50171higJun 15, 2026
    risk 0.38cvss epss 0.00

    A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of Angular. The `formatNumber` function, which is also utilized by `DecimalPipe`, `PercentPipe`, and `CurrencyPipe`, does not properly validate the upper bounds of the `digitsInfo` parameter.…

  • CVE-2026-50170higJun 15, 2026
    risk 0.38cvss epss 0.00

    A vulnerability was discovered in `@angular/common` when Server-Side Rendering (SSR) and hydration are enabled. The `HttpTransferCache` utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side…

  • CVE-2026-50168higJun 15, 2026
    risk 0.38cvss epss 0.00

    An issue in the `@angular/platform-server` package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for…

  • CVE-2026-48779higJun 15, 2026
    risk 0.39cvss epss 0.01

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit,…

  • CVE-2026-9863HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.01

    Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be…

  • CVE-2026-54267higJun 15, 2026
    risk 0.39cvss epss 0.00

    To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application's runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream…

  • CVE-2026-5242HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

  • CVE-2026-5233HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

  • CVE-2026-5230HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

  • CVE-2026-5079HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to…

  • CVE-2026-49111HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0.

  • CVE-2026-49064HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.

  • CVE-2026-49062HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.

  • CVE-2019-25746HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with…

  • CVE-2018-25437HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the…

  • CVE-2016-20084HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject…

  • CVE-2016-20081HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.01

    WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal…

  • CVE-2016-20076HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.01

    WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit…

  • CVE-2016-20075HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP…

  • CVE-2016-20073HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php…

  • CVE-2016-20072HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode…

  • CVE-2016-20071HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with…

  • CVE-2016-20069HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar…

  • CVE-2016-20068HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the…

  • CVE-2016-20066HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to…

  • CVE-2026-34026HigJun 15, 2026
    risk 0.46cvss epss 0.00

    Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without…

  • CVE-2026-34024HigJun 15, 2026
    risk 0.56cvss epss 0.00

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly…

  • CVE-2026-34023HigJun 15, 2026
    risk 0.46cvss epss 0.00

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can…

  • CVE-2026-34022HigJun 15, 2026
    risk 0.46cvss epss 0.00

    The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic.…