VYPR

CVEs

345,196 total · page 95 of 6,904

  • CVE-2026-50627CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token…

  • CVE-2026-50623MedJun 12, 2026
    risk 0.31cvss 4.8epss 0.00

    An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker.…

  • CVE-2026-49875CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix…

  • CVE-2026-48914MedJun 12, 2026
    risk 0.37cvss 6.7epss 0.00

    A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI…

  • CVE-2026-11847MedJun 12, 2026
    risk 0.28cvss 4.3epss 0.00

    The  iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.

  • CVE-2026-11846HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    The  iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories,  resulting in data destruction or…

  • CVE-2026-11845HigJun 12, 2026
    risk 0.47cvss 7.2epss 0.01

    The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.

  • CVE-2026-11844MedJun 12, 2026
    risk 0.32cvss 4.9epss 0.00

    The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.

  • CVE-2026-12058MedJun 12, 2026
    risk 0.34cvss epss 0.00

    The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.

  • CVE-2026-11535CriJun 12, 2026
    risk 0.61cvss epss 0.00

    An unauthorized access vulnerability exists in the PcSuite APP. The vulnerability can be exploited by attackers to Unauthorized access to the victim’s device.

  • CVE-2026-9271MedJun 12, 2026
    risk 0.38cvss 5.9epss 0.00

    Vulnerability Title

  • CVE-2026-9269LowJun 12, 2026
    risk 0.23cvss 3.5epss 0.00

    The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

  • CVE-2026-12060MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application,…

  • CVE-2026-12059HigJun 12, 2026
    risk 0.57cvss 8.8epss 0.00

    The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.

  • CVE-2026-45169HigJun 12, 2026
    risk 0.57cvss epss 0.00

    Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenarios, processing unexpected input could potentially lead to an unexpected service…

  • CVE-2026-44892HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not…

  • CVE-2026-48613MedJun 12, 2026
    risk 0.31cvss 5.9epss 0.00

    SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have…

  • CVE-2026-48612HigJun 12, 2026
    risk 0.52cvss 8.0epss 0.00

    Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.

  • CVE-2026-48611CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.03

    Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

  • CVE-2026-48610HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.

  • CVE-2026-47370CriJun 12, 2026
    risk 0.64cvss 9.9epss 0.01

    A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances.

  • CVE-2026-47369CriJun 12, 2026
    risk 0.64cvss 9.9epss 0.00

    A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances.

  • CVE-2026-47368HigJun 12, 2026
    risk 0.56cvss 8.6epss 0.00

    A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to obtain data from such UniFi OS devices or instances.

  • CVE-2026-47367CriJun 12, 2026
    risk 0.64cvss 9.9epss 0.01

    A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device.

  • CVE-2026-47366HigJun 12, 2026
    risk 0.47cvss 7.2epss 0.00

    Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the…

  • CVE-2026-47365CriJun 12, 2026
    risk 0.64cvss 9.9epss 0.00

    Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

  • CVE-2026-20746MedJun 12, 2026
    risk 0.41cvss epss 0.00

    Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

  • CVE-2026-9125MedJun 12, 2026
    risk 0.35cvss 6.4epss 0.00

    The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the…

  • CVE-2026-45170HigJun 12, 2026
    risk 0.49cvss epss 0.00

    Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26-17

  • CVE-2026-11933HigJun 12, 2026
    risk 0.57cvss 8.8epss 0.00

    A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the…

  • CVE-2026-49482MedJun 12, 2026
    risk 0.28cvss 4.3epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite…

  • CVE-2026-10676Jun 12, 2026
    risk 0.00cvss epss

    Rejected reason: This CVE Record has been rejected by the Zephyr Project CNA. Subsequent analysis determined that the addressed defect is not reachable in any released version of Zephyr: on every supported release branch the affected value is corrected before it is used, and the…

  • CVE-2026-12893modJun 12, 2026
    risk 0.36cvss 5.5epss

    gstreamer1-libav: gstreamer1-libav: NULL pointer dereference in gstavdemux.c error handler

  • CVE-2026-47238MedJun 11, 2026
    risk 0.42cvss 6.5epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched…

  • CVE-2026-45418HigJun 11, 2026
    risk 0.57cvss 8.8epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to…

  • CVE-2026-45060CriJun 11, 2026
    risk 0.64cvss 9.8epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This…

  • CVE-2026-42846CriJun 11, 2026
    risk 0.64cvss 9.8epss 0.01

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is…

  • CVE-2026-6250HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.00

    An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data…

  • CVE-2026-49060CriJun 11, 2026
    risk 0.64cvss 9.8epss 0.01

    Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.

  • CVE-2026-45174HigJun 11, 2026
    risk 0.55cvss epss 0.00

    Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19

  • CVE-2026-45173HigJun 11, 2026
    risk 0.55cvss epss 0.00

    Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could…

  • CVE-2026-45172HigJun 11, 2026
    risk 0.57cvss epss 0.01

    Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17…

  • CVE-2026-45171HigJun 11, 2026
    risk 0.57cvss epss 0.01

    Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security…

  • CVE-2026-44890HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts…

  • CVE-2026-44250HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to…

  • CVE-2026-44249HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.01

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid…

  • CVE-2026-42653HigJun 11, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6.

  • CVE-2026-42647CriJun 11, 2026
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.

  • CVE-2026-39494CriJun 11, 2026
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.

  • CVE-2026-12035HigJun 11, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)