Search

Search Results (366369 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-47941 2 Modalsurvey, Wordpress 3 Survey & Poll, Wordpress Survey And Poll, Wordpress 2026-07-15 8.2 High
WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database.
CVE-2021-47932 2 Thecartpress, Wordpress 2 Thecartpress, Wordpress 2026-07-15 9.8 Critical
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
CVE-2021-47925 2 Cmdbuild, Tecnoteca 2 Cmdbuild, Cmdbuild 2026-07-15 6.4 Medium
CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.
CVE-2021-47903 2 Litespeed Technologies, Litespeedtech 2 Litespeed Web Server, Litespeed Web Server 2026-07-15 8.8 High
LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection.
CVE-2021-47889 2 Cd-messenger Project, Softros Systems 2 Cd-messenger, Lan Messenger 2026-07-15 7.8 High
Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges.
CVE-2021-47815 2 Nsasoft, Nsauditor 2 Nsauditor, Nsauditor 2026-07-15 7.5 High
Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash.
CVE-2021-47778 2 Get-simple, Netexplorer 2 Getsimplecms, My Smtp Contact 2026-07-15 7.2 High
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
CVE-2021-47736 1 Cmsimple-xh 1 Cmsimple Xh 2026-07-15 7.2 High
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.
CVE-2021-47708 2 Bosch, Commax 2 Smart Home, Smart Home System 2026-07-15 N/A
COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access.
CVE-2021-4474 3 Ruckus, Ruckussecurity, Ruckuswireless 9 Ruckus Unleashed, Smartzone 100-d (sz100-d) (eol), Smartzone 100 (sz-100) (eol) and 6 more 2026-07-15 4.9 Medium
Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive information including configuration files, credentials, and system data stored on the device.
CVE-2020-37255 2 Wordpress, Wptimecapsule 2 Wordpress, Wp Time Capsule 2026-07-15 7.5 High
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
CVE-2020-37254 1 Wondershare 1 Pdfelement 2026-07-15 7.8 High
Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Local attackers can place a malicious executable in the service path and execute code with LocalSystem privileges upon service restart or system reboot.
CVE-2020-37236 1 Netartmedia 1 News Lister 2026-07-15 6.4 Medium
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.
CVE-2020-37226 1 Joomsky 2 J2 Jobs, Js Jobs 2026-07-15 7.1 High
Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information using automated tools.
CVE-2020-37224 1 Joomsky 2 J2 Jobs, Js Jobs 2026-07-15 7.1 High
Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information.
CVE-2020-37216 1 Belden 1 Hirschmann Hios 2026-07-15 7.5 High
Hirschmann HiOS devices versions prior to 08.1.00 and 07.1.01 contain a denial of service vulnerability in the EtherNet/IP stack where improper handling of packet length fields allows remote attackers to crash or hang the device. Attackers can send specially crafted UDP EtherNet/IP packets with a length value larger than the actual packet size to render the device inoperable.
CVE-2020-37137 1 Php-fusion 2 Php-fusion, Phpfusion 2026-07-15 6.1 Medium
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code.
CVE-2020-37136 2 Ejinshan, Emtec 2 Terminal Security System, Zoc Terminal 2026-07-15 7.5 High
ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files.
CVE-2020-37130 2 Nsasoft, Nsauditor 2 Nsauditor, Nsauditor 2026-07-15 7.5 High
Nsauditor 3.2.0.0 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can create a malicious payload of 1000 bytes of repeated characters to trigger an application crash when pasted into the registration name field.
CVE-2020-37128 2 Ejinshan, Emtec 2 Terminal Security System, Zoc Terminal 2026-07-15 6.2 Medium
ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of service.