Total
361545 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-9607 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-9606 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-9605 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue. | |||||
| CVE-2026-9604 | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded. | |||||
| CVE-2026-9603 | 2026-06-17 | 6.4 MEDIUM | 6.5 MEDIUM | ||
| A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-9599 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the tectite_forms_button option, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-9595 | 1 Webpack.js | 1 Webpack-dev-server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required. | |||||
| CVE-2026-9594 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen. | |||||
| CVE-2026-9590 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission. | |||||
| CVE-2026-9584 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-9583 | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-9582 | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-9581 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended. | |||||
| CVE-2026-9580 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component. | |||||
| CVE-2026-9579 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded. | |||||
| CVE-2026-9575 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0. This issue affects some unknown processing of the file /admin/modules/class/index.php?view=view. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-9574 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in itsourcecode Student Transcript Processing System 1.0. This vulnerability affects unknown code of the file /admin/modules/student/trans.php. Executing a manipulation of the argument studentId/cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2026-9573 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0. This affects an unknown part of the file /admin/modules/student/index.php?view=view. Performing a manipulation of the argument studentId results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-9572 | 1 Gpac | 1 Gpac | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue. | |||||
| CVE-2026-9568 | 2026-06-17 | 5.1 MEDIUM | 5.0 MEDIUM | ||
| A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet. | |||||