Total
8121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-0896 | 1 Zulip | 1 Zulip Server | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this. | |||||
| CVE-2017-0554 | 1 Google | 1 Android | 2026-06-17 | 6.8 MEDIUM | 7.8 HIGH |
| An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946. | |||||
| CVE-2016-11036 | 1 Google | 1 Android | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with M(6.0) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-6008 (August 2016). | |||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | |||||
| CVE-2015-20067 | 1 Wp Attachment Export Project | 1 Wp Attachment Export | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress | |||||
| CVE-2015-10143 | 1 Pagelines | 1 Platform Theme | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Platform theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the *_ajax_save_options() function in all versions up to 1.4.4 (exclusive). This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2015-10140 | 1 Connekthq | 1 Ajax Load More | 2026-06-17 | N/A | 8.8 HIGH |
| The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files. | |||||
| CVE-2015-0571 | 1 Linux | 1 Linux Kernel | 2026-06-17 | 9.3 HIGH | 7.8 HIGH |
| The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c. | |||||
| CVE-2013-4226 | 1 Drupal | 1 Authenticated User Page Caching | 2026-06-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser. | |||||
| CVE-2013-3960 | 1 Easytimestudio | 1 Easy File Manager | 2026-06-16 | 8.7 HIGH | 9.9 CRITICAL |
| Easytime Studio Easy File Manager 1.1 has a HTTP request security bypass | |||||
| CVE-2013-10072 | 1 Nagios | 1 Nagios Xi | 2026-06-16 | N/A | 6.5 MEDIUM |
| Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations. | |||||
| CVE-2012-6614 | 1 Dlink | 2 Dsr-250n, Dsr-250n Firmware | 2026-06-16 | 9.0 HIGH | 7.2 HIGH |
| D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password. | |||||
| CVE-2012-4245 | 1 Gimp | 1 Gimp | 2026-06-16 | 6.8 MEDIUM | N/A |
| The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command. | |||||
| CVE-2012-0055 | 2 Canonical, Linux | 2 Ubuntu Linux, Linux Kernel | 2026-06-16 | 7.2 HIGH | 7.8 HIGH |
| OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions. | |||||
| CVE-2009-3781 | 1 Quicksketch | 1 Filefield | 2026-06-16 | 7.5 HIGH | N/A |
| The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors. | |||||
| CVE-2009-3168 | 1 Mevin | 1 Basic Php Events Lister | 2026-06-16 | 6.5 MEDIUM | 7.2 HIGH |
| Mevin Productions Basic PHP Events Lister 2.0 does not properly restrict access to (1) admin/reset.php and (2) admin/user_add.php, which allows remote authenticated users to reset administrative passwords or add administrators via a direct request. | |||||
| CVE-2009-2282 | 1 Oracle | 2 Opensolaris, Solaris | 2026-06-16 | 4.6 MEDIUM | N/A |
| The Virtual Network Terminal Server daemon (vntsd) for Logical Domains (aka LDoms) in Sun Solaris 10, and OpenSolaris snv_41 through snv_108, on SPARC platforms does not check authorization for guest console access, which allows local control-domain users to gain guest-domain privileges via unknown vectors. | |||||
| CVE-2008-6548 | 1 Moinmo | 1 Moinmoin | 2026-06-16 | 5.0 MEDIUM | N/A |
| The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors. | |||||
| CVE-2006-4483 | 1 Php | 1 Php | 2026-06-16 | 9.3 HIGH | N/A |
| The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. | |||||
| CVE-2005-3623 | 1 Linux | 1 Linux Kernel | 2026-06-16 | 5.0 MEDIUM | N/A |
| nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems. | |||||