Search
Search Results (341118 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27090 | 2 Wordpress, Wp Moose | 2 Wordpress, Kenta Companion | 2026-02-20 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3. | ||||
| CVE-2026-27092 | 2 Greg Winiarski, Wordpress | 2 Wpadverts, Wordpress | 2026-02-20 | 6.5 Medium |
| Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through <= 2.2.11. | ||||
| CVE-2026-25527 | 2 Dgtlmoon, Webtechnologies | 2 Changedetection.io, Changedetection | 2026-02-20 | 5.3 Medium |
| changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue. | ||||
| CVE-2025-71247 | 1 Spip | 1 Spip | 2026-02-20 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-71248 | 1 Spip | 1 Spip | 2026-02-20 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-71249 | 1 Spip | 1 Spip | 2026-02-20 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-71250 | 1 Spip | 1 Spip | 2026-02-20 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2026-27325 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27324 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27323 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27322 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27321 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27320 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27319 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27318 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-27317 | 2026-02-20 | N/A | ||
| Not used | ||||
| CVE-2026-26995 | 2026-02-20 | N/A | ||
| Further research determined the issue is an external dependency vulnerability. | ||||
| CVE-2026-21434 | 1 Quic-go | 1 Webtransport-go | 2026-02-19 | 5.3 Medium |
| webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0. | ||||
| CVE-2026-21435 | 1 Quic-go | 1 Webtransport-go | 2026-02-19 | 5.3 Medium |
| webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0. | ||||
| CVE-2026-21438 | 1 Quic-go | 1 Webtransport-go | 2026-02-19 | 5.3 Medium |
| webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0. | ||||