Search Results (26990 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-11000 1 Smackcoders 1 Ultimate Exporter 2024-11-21 9.8 Critical
The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.
CVE-2016-10995 1 Templatic 1 Telvolution 2024-11-21 9.8 Critical
The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php.
CVE-2016-10972 1 Tagdiv 1 Newspaper 2024-11-21 9.8 Critical
The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.
CVE-2016-10971 1 Membersonic 1 Membersonic 2024-11-21 9.8 Critical
The MemberSonic Lite plugin before 1.302 for WordPress has incorrect login access control because only knowlewdge of an e-mail address is required.
CVE-2016-10955 1 Cysteme 1 Cysteme-finder 2024-11-21 9.8 Critical
The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.
CVE-2016-10954 1 Dynamicpress 1 Neosense 2024-11-21 9.8 Critical
The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.
CVE-2016-10942 1 Podlove 1 Podlove Podcast Publisher 2024-11-21 9.8 Critical
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
CVE-2016-10764 1 Linux 1 Linux Kernel 2024-11-21 9.8 Critical
In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the ">" should be ">=" instead.
CVE-2016-10722 1 Partclone Project 1 Partclone 2024-11-21 9.8 Critical
partclone.fat in Partclone before 0.2.88 is prone to a heap-based buffer overflow vulnerability due to insufficient validation of the FAT superblock, related to the mark_reserved_sectors function. An attacker may be able to execute arbitrary code in the context of the user running the affected application.
CVE-2016-10541 1 Shell-quote Project 1 Shell-quote 2024-11-21 9.8 Critical
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.
CVE-2016-1000027 1 Vmware 1 Spring Framework 2024-11-21 9.8 Critical
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CVE-2016-1000006 1 Facebook 1 Hhvm 2024-11-21 9.8 Critical
hhvm before 3.12.11 has a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions.
CVE-2016-1000005 1 Facebook 1 Hhvm 2024-11-21 9.8 Critical
mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).
CVE-2016-1000004 1 Facebook 1 Hhvm 2024-11-21 9.8 Critical
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).
CVE-2016-0898 1 Vmware 1 Pivotal Software Mysql 2024-11-21 10.0 Critical
MySQL for PCF tiles 1.7.x before 1.7.10 were discovered to log the AWS access key in plaintext. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM.
CVE-2015-9551 1 Totolink 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more 2024-11-21 9.8 Critical
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.
CVE-2015-9499 1 Themepunch 1 Showbiz Pro 2024-11-21 9.8 Critical
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
CVE-2015-9479 1 Advancedcustomfields 1 Acf Fronted Display 2024-11-21 9.8 Critical
The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.
CVE-2015-9471 1 Digitalzoomstudio 1 Zoomsounds 2024-11-21 9.8 Critical
The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.php arbitrary file upload.
CVE-2015-9467 1 K-78 1 Broken Link Manager 2024-11-21 9.8 Critical
The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelURL or wpslEditURL SQL injection via the url parameter.