Vulnerabilities (CVE)

Total 363366 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2026-38936 2026-07-05 N/A 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
CVE-2026-38935 2026-07-05 N/A 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
CVE-2026-38934 2026-07-05 N/A 8.8 HIGH
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
CVE-2026-38931 2026-07-05 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
CVE-2026-38930 2026-07-05 N/A 6.5 MEDIUM
OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter.
CVE-2026-36356 2026-07-05 N/A 9.1 CRITICAL
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
CVE-2026-36239 2026-07-05 N/A 4.3 MEDIUM
PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality
CVE-2026-36182 2026-07-05 N/A 9.8 CRITICAL
GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack.
CVE-2026-36180 2026-07-05 N/A 4.6 MEDIUM
A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack.
CVE-2026-36178 2026-07-05 N/A 4.6 MEDIUM
The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data.
CVE-2026-36176 2026-07-05 N/A 7.1 HIGH
GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.
CVE-2026-36175 2026-07-05 N/A 6.8 MEDIUM
An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments.
CVE-2026-36174 2026-07-05 N/A 4.6 MEDIUM
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
CVE-2026-30695 2026-07-05 N/A 6.1 MEDIUM
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
CVE-2026-30603 2026-07-05 N/A 6.8 MEDIUM
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.
CVE-2026-30463 1 Thedaylightstudio 1 Fuel Cms 2026-07-05 N/A 7.7 HIGH
Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.
CVE-2026-30462 2026-07-05 N/A 4.3 MEDIUM
A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.
CVE-2026-30461 1 Thedaylightstudio 1 Fuel Cms 2026-07-05 N/A 8.3 HIGH
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
CVE-2026-30460 1 Thedaylightstudio 1 Fuel Cms 2026-07-05 N/A 8.8 HIGH
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
CVE-2026-30459 1 Thedaylightstudio 1 Fuel Cms 2026-07-05 N/A 7.1 HIGH
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.