Total
4676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-8910 | 1 Ibm | 1 Db2 | 2026-05-06 | 4.0 MEDIUM | N/A |
| IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement. | |||||
| CVE-2015-0931 | 1 Ektron | 1 Ektron Content Management System | 2026-05-06 | 6.8 MEDIUM | N/A |
| Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1, when the Saxon XSLT parser is used, allows remote attackers to execute arbitrary code via a crafted XSLT document, related to a "resource injection" issue. | |||||
| CVE-2016-5685 | 1 Dell | 4 Idrac7, Idrac7 Firmware, Idrac8 and 1 more | 2026-05-06 | 9.0 HIGH | 8.8 HIGH |
| Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection. | |||||
| CVE-2015-1592 | 2 Debian, Sixapart | 2 Debian Linux, Movable Type | 2026-05-06 | 7.5 HIGH | N/A |
| Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors. | |||||
| CVE-2015-3253 | 2 Apache, Oracle | 6 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 3 more | 2026-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | |||||
| CVE-2015-3205 | 1 Libmimedir Project | 1 Libmimedir | 2026-05-06 | 7.5 HIGH | N/A |
| libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the "lexer's memory clean-up procedure." | |||||
| CVE-2015-1169 | 1 Apereo | 1 Central Authentication Service | 2026-05-06 | 7.5 HIGH | N/A |
| Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. | |||||
| CVE-2014-7287 | 1 Symantec | 2 Encryption Management Server, Pgp Universal Server | 2026-05-06 | 5.0 MEDIUM | N/A |
| The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header. | |||||
| CVE-2015-3200 | 3 Hp, Lighttpd, Oracle | 3 Virtual Customer Access System, Lighttpd, Solaris | 2026-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character. | |||||
| CVE-2015-3013 | 1 Owncloud | 1 Owncloud Server | 2026-05-06 | 6.0 MEDIUM | N/A |
| ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file. | |||||
| CVE-2016-10131 | 1 Codeigniter | 1 Codeigniter | 2026-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments. | |||||
| CVE-2014-8423 | 1 Arris | 1 Vap2500 Firmware | 2026-05-06 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors. | |||||
| CVE-2015-7466 | 1 Ibm | 1 Jazz Reporting Service | 2026-05-06 | 4.0 MEDIUM | 3.1 LOW |
| Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended query restrictions or modify the LDAP directory, via unspecified vectors. | |||||
| CVE-2015-7309 | 1 Boltcms | 1 Bolt | 2026-05-06 | 6.5 MEDIUM | N/A |
| The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it. | |||||
| CVE-2016-2204 | 1 Symantec | 1 Messaging Gateway | 2026-05-06 | 6.5 MEDIUM | 8.2 HIGH |
| The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input. | |||||
| CVE-2015-5841 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2026-05-06 | 5.0 MEDIUM | N/A |
| The CFNetwork Proxies component in Apple iOS before 9 does not properly handle a Set-Cookie header within a response to an HTTP CONNECT request, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response. | |||||
| CVE-2016-7125 | 1 Php | 1 Php | 2026-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection. | |||||
| CVE-2016-9832 | 1 Pwc | 1 Ace-advanced Business Application Programming | 2026-05-06 | 6.5 MEDIUM | 9.9 CRITICAL |
| PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report. | |||||
| CVE-2016-5701 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2026-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. | |||||
| CVE-2026-7264 | 2026-05-05 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | |||||