Browse CVEs

The SportsPress WordPress plugin has a Local File Inclusion vulnerability in all versions up to 2.7.26. Authenticated attackers with contributor-level...

This CVE describes a reflected cross-site scripting (XSS) vulnerability in AKCE Software's SKSPro product. Attackers can inject malicious scripts into...

An OS command injection vulnerability in ELECOM WRC-X1500GS-B and WRC-X1500GSA-B wireless routers allows authenticated attackers to execute arbitrary ...

This stored XSS vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to inject malicious scripts into customer profile fie...

The Form Maker WordPress plugin has a stored XSS vulnerability in versions up to 1.15.35. Unauthenticated attackers can inject malicious JavaScript in...

The Form Maker by 10Web WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript code due to weak file ex...

This vulnerability allows attackers to execute arbitrary code by exploiting insecure DLL loading in Roland Cloud Manager. Attackers can plant maliciou...

This vulnerability in jsPDF allows attackers to inject arbitrary PDF objects, including JavaScript actions, through user-controlled input to specific ...

OpenClaw (formerly Clawdbot) versions prior to 2026.1.29 contain a command injection vulnerability in the Docker sandbox execution mechanism. Authenti...

OpenList Frontend versions before 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated attackers to bypa...

OpenList Frontend versions before 4.1.10 have TLS certificate verification disabled by default for storage communications, allowing Man-in-the-Middle ...

A stored XSS vulnerability in FacturaScripts allows attackers to inject malicious JavaScript into the Observations field, which executes when administ...

OpenTelemetry-Go SDK versions v1.20.0 through v1.39.0 on macOS/Darwin systems are vulnerable to path hijacking attacks. An attacker with local access ...

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 exposes the ModelBuilder HMAC signing key in cleartext via the DescribeTrainingJob API. Thi...

This vulnerability allows a privileged user in IBM WebSphere Application Server Liberty to upload a zip archive containing path traversal sequences, w...

This vulnerability allows a local attacker with physical USB access to cause a full device reset by using an invalid reset file. It affects devices th...

CVE-2022-50977 allows unauthenticated remote attackers to disrupt operations by switching between multiple configuration presets via HTTP requests. Th...

This vulnerability allows unauthenticated remote attackers to disrupt operations by switching between multiple configuration presets via Modbus TCP. I...

This vulnerability allows an unauthenticated remote attacker to hijack existing user sessions and gain full administrative access to affected devices....

This vulnerability allows local privilege escalation on macOS systems running Native Access. A low-privileged user can exploit DYLIB injection in the ...

This vulnerability allows attackers to bypass code signature verification in Native Access's XPC service on macOS through PID reuse attacks. An attack...

A stack-based buffer overflow vulnerability in libsoup allows remote attackers to execute arbitrary code or crash applications by sending specially cr...

This SQL injection vulnerability in AKCE Software's SKSPro allows attackers to execute arbitrary SQL commands on the database. All SKSPro installation...

This vulnerability in huggingface/text-generation-inference allows unauthenticated attackers to trigger resource exhaustion by exploiting unbounded ex...

This vulnerability allows authenticated users in lunary-ai/lunary to delete prompts belonging to other organizations through ID manipulation. The appl...

This CVE describes a local privilege escalation vulnerability in mlflow versions before 3.4.0 where temporary directories for Python virtual environme...

This vulnerability allows unauthenticated attackers to trigger resource-intensive text generation operations and manipulate server state in the lollms...

This CVE describes a PHP Local File Inclusion vulnerability in the Talemy Spirit Framework WordPress plugin. Attackers can exploit improper filename c...

This vulnerability in MediaTek modems allows remote denial of service through system crashes when devices connect to rogue base stations. Attackers ca...

This vulnerability allows remote attackers to cause a system crash (denial of service) in affected modem devices by connecting to a rogue base station...

This vulnerability in MediaTek modems allows remote denial of service through improper input validation. An attacker can crash the system by connectin...

This CVE describes a use-after-free vulnerability in the cameraisp component that could allow local privilege escalation. Attackers with System privil...

CVE-2026-20412 is an out-of-bounds write vulnerability in the cameraisp component that allows local privilege escalation. Attackers with initial Syste...

This vulnerability in MediaTek wlan AP/STA firmware allows remote attackers within wireless range to cause denial of service by making the system unre...

This vulnerability in MediaTek modems allows remote denial of service through improper input validation. An attacker can crash the system by connectin...

This vulnerability in MediaTek modems allows remote denial of service through system crashes when devices connect to rogue base stations. Attackers ca...

This vulnerability allows remote denial of service attacks against devices with affected MediaTek modems. An attacker can crash the system by connecti...

This CVE describes a heap buffer overflow vulnerability in wlan (wireless LAN) components that allows remote attackers to execute arbitrary code witho...

CVE-2026-20409 is an out-of-bounds write vulnerability in the imgsys component that allows local privilege escalation. Attackers with initial System p...

This vulnerability allows remote denial of service attacks against mobile devices with affected MediaTek modems. An attacker can crash the system by c...

This vulnerability in MediaTek modems allows remote denial of service through improper input validation. Attackers can crash affected devices by conne...

This vulnerability in MediaTek modems allows remote denial of service via system crash when a device connects to a malicious base station. Attackers c...

CVE-2025-9974 is an OS command injection vulnerability in the unified WEBUI application of Nokia ONT/Beacon devices. Authenticated attackers with low ...

The Library Viewer WordPress plugin before version 3.2.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized parameters ar...

A vulnerability in fog-kubevirt allows remote attackers to perform Man-in-the-Middle attacks by intercepting communications between Satellite and Open...

This vulnerability in foreman_kubevirt disables SSL certificate verification by default when connecting to OpenShift without an explicitly set CA cert...

An unauthenticated attacker can upload arbitrary files to MagicInfo9 Server, leading to remote code execution and privilege escalation. This affects M...

CVE-2026-24788 is an OS command injection vulnerability in RaspAP raspap-webgui that allows authenticated users to execute arbitrary commands on the u...

This vulnerability allows remote attackers to bypass authentication on EFM ipTIME A8004T routers via improper authentication in the Hidden Hiddenlogin...

OpenClaw (also known as clawdbot or Moltbot) versions before 2026.1.29 automatically establish WebSocket connections using gatewayUrl values from quer...