| CVE-2006-0572 | phpstatus 1.0 does not require passwords when using cookies to identify a user, which allows remote attackers to bypass authentication. | critical | 2026-04-16 |
| CVE-2006-0571 | Multiple cross-site scripting (XSS) vulnerabilities in phpstatus 1.0 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in the administrative interface. | medium | 2026-04-16 |
| CVE-2006-0570 | Multiple SQL injection vulnerabilities in phpstatus 1.0, when gpc_magic_quotes is disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the username parameter in check.php and (2) unknown attack vectors in the administrative interface. | critical | 2026-04-16 |
| CVE-2006-0569 | Cross-site scripting (XSS) vulnerability in user_class.php in Papoo 2.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the username field during the registration of a new account. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | medium | 2026-04-16 |
| CVE-2006-0568 | Cross-site scripting (XSS) vulnerability in throw.main in Outblaze allows remote attackers to inject arbitrary web script or HTML via the file parameter. | medium | 2026-04-16 |
| CVE-2006-0567 | Directory traversal vulnerability in Files Xaraya module before 0.5.1, when the Archive Directory field on the Modify Config page is blank, allows remote attackers to access files outside of the web root via ".." (dot dot) sequences. | high | 2026-04-16 |
| CVE-2006-0566 | The LDAP component in CommuniGate Pro Core Server 5.0.7 allows remote attackers to cause a denial of service (application crash) via LDAP messages that contain Distinguished Names (DN) fields with a large number of elements. | high | 2026-04-16 |
| CVE-2006-0565 | PHP remote file include vulnerability in inc/backend_settings.php in Loudblog 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the $GLOBALS[path] parameter. | critical | 2026-04-16 |
| CVE-2006-0564 | Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field. | high | 2026-04-16 |
| CVE-2006-0563 | SQL injection vulnerability in exec.php in PluggedOut Blog 1.9.9c allows remote attackers to execute arbitrary SQL commands via the entryid parameter in a comment_add action. | critical | 2026-04-16 |
| CVE-2006-0562 | Cross-site scripting (XSS) vulnerability in problem.php in PluggedOut Blog 1.9.9c allows remote attackers to inject arbitrary web script or HTML via the data parameter. | medium | 2026-04-16 |
| CVE-2006-0561 | Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key. | medium | 2026-04-16 |
| CVE-2006-0559 | Format string vulnerability in the SMTP server for McAfee WebShield 4.5 MR2 and earlier allows remote attackers to execute arbitrary code via format strings in the domain name portion of a destination address, which are not properly handled when a bounce message is constructed. | critical | 2026-04-16 |
| CVE-2006-0558 | perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function. | medium | 2026-04-16 |
| CVE-2006-0557 | sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors. | critical | 2026-04-16 |
| CVE-2006-0555 | The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O). | medium | 2026-04-16 |
| CVE-2006-0554 | Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data. | medium | 2026-04-16 |
| CVE-2006-0553 | PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678. | high | 2026-04-16 |
| CVE-2006-0552 | Unspecified vulnerability in the Net Listener component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB11. | critical | 2026-04-16 |
| CVE-2006-0551 | SQL injection vulnerability in the Data Pump Metadata API in Oracle Database 10g and possibly earlier might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB06 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0259 or, if it is DB05, subsumed by CVE-2006-0260. | critical | 2026-04-16 |
| CVE-2006-0550 | Buffer overflow in an unspecified Oracle Client utility might allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DBC02 from the January 2006 CPU, in which case this would be a duplicate of CVE-2006-0283. However, there are enough inconsistencies that the mapping can not be made authoritatively. | critical | 2026-04-16 |
| CVE-2006-0549 | SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259. | critical | 2026-04-16 |
| CVE-2006-0548 | SQL injection vulnerability in the Oracle Text component of Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB15 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. | critical | 2026-04-16 |
| CVE-2006-0547 | Oracle Database 8i, 9i, and 10g allow remote authenticated users to execute arbitrary SQL statements in the context of the SYS user and bypass audit logging, including statements to create new privileged database accounts, via a modified AUTH_ALTER_SESSION attribute in the authentication phase of the Transparent Network Substrate (TNS) protocol. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB18 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0265. | high | 2026-04-16 |
| CVE-2006-0546 | Unspecified vulnerability in index.php in a certain application available from /v1/tr/portfoy.php on www.egeinternet.com allows remote attackers to execute arbitrary code via "evilcode" in the key parameter, possibly a PHP remote file include vulnerability in which the attack vector is a URL in the key parameter. NOTE: it is not clear whether this vulnerability is associated with an online service or application service provider. If so, then it should not be included in CVE. | critical | 2026-04-16 |
| CVE-2006-0545 | SQL injection vulnerability in showflat.php in Groupee (formerly known as Infopop) UBB.threads 6.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Number parameter. | critical | 2026-04-16 |
| CVE-2006-0544 | urlmon.dll in Microsoft Internet Explorer 7.0 beta 2 (aka 7.0.5296.0) allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a BGSOUND element with its SRC attribute set to "file://" followed by a large number of "-" (dash of hyphen) characters. | high | 2026-04-16 |
| CVE-2006-0543 | Cerulean Trillian 3.1.0.120 allows remote attackers to cause a denial of service (client crash) via an AIM message containing the Mac encoded Rich Text Format (RTF) escape sequences (1) \'d1, (2) \'d2, (3) \'d3, (4) \'d4, and (5) \'d5. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | high | 2026-04-16 |
| CVE-2006-0542 | Multiple SQL injection vulnerabilities in config.php in NukedWeb GuestBookHost 2005.04.25 allow remote attackers to execute arbitrary SQL commands via the (1) email and (2) password parameters. | critical | 2026-04-16 |
| CVE-2006-0541 | Multiple cross-site scripting (XSS) vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "posting new messages." | medium | 2026-04-16 |
| CVE-2006-0540 | Multiple SQL injection vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | critical | 2026-04-16 |
| CVE-2006-0539 | The convert-fcrontab program in fcron 3.0.0 might allow local users to gain privileges via a long command-line argument, which causes Linux glibc to report heap memory corruption, possibly because a strcpy in the strdup2 function can "overwrite some data." | high | 2026-04-16 |
| CVE-2006-0538 | CipherTrust IronMail 5.0.1, when "Denial of Service Protection" is enabled, allows remote attackers to cause a denial of service (possibly CPU consumption) via a SYN flood with malformed TCP packets from multiple connections. | high | 2026-04-16 |
| CVE-2006-0537 | Buffer overflow in the POP3 server in Kinesphere Corporation eXchange before 5.0.060125 allows remote attackers to execute arbitrary code via a long RCPT TO argument. | critical | 2026-04-16 |
| CVE-2006-0536 | Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.27 allows remote attackers to inject arbitrary web script or HTML via the sort parameter. NOTE: some sources say that the affected parameter is "date," but the demonstration URL shows that it is "sort". | medium | 2026-04-16 |
| CVE-2006-0535 | Multiple cross-site scripting (XSS) vulnerabilities in Community Server allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: this candidate does not contain any actionable or distinguishing information. Perhaps it should not be included in CVE. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | medium | 2026-04-16 |
| CVE-2006-0534 | Multiple cross-site scripting (XSS) vulnerabilities in default.asp in CyberShop Ultimate E-commerce allow remote attackers to inject arbitrary web script or HTML via the (1) ortak or (2) kat parameter. | medium | 2026-04-16 |
| CVE-2006-0533 | Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter. | medium | 2026-04-16 |
| CVE-2006-0532 | Cross-site scripting (XSS) vulnerability in resultat.asp in SoftMaker Shop allows remote attackers to inject arbitrary web script or HTML via a strSok parameter containing a javascript: URI in an IMG SRC attribute. | medium | 2026-04-16 |
| CVE-2006-0531 | Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. | high | 2026-04-16 |
| CVE-2006-0530 | Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via spoofed CAM control messages. | high | 2026-04-16 |
| CVE-2006-0529 | Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via a crafted message to TCP port 4105. | high | 2026-04-16 |
| CVE-2006-0528 | The cairo library (libcairo), as used in GNOME Evolution and possibly other products, allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment. | high | 2026-04-16 |
| CVE-2006-0527 | BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allows remote attackers to gain privileged access via a "Kashpureff-style DNS cache corruption" attack. | critical | 2026-04-16 |
| CVE-2006-0526 | The default configuration of the America Online (AOL) client software allows all users to modify a certain registry value that specifies a DLL file name, which might allow local users to gain privileges via a Trojan horse program. | high | 2026-04-16 |
| CVE-2006-0525 | Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator CS2, and (3) Adobe Help Center, install a large number of .EXE and .DLL files with write-access permission for the Everyone group, which allows local users to gain privileges via Trojan horse programs. | high | 2026-04-16 |
| CVE-2006-0524 | Cross-site scripting (XSS) vulnerability in ashnews.php in Derek Ashauer ashNews 0.83 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | medium | 2026-04-16 |
| CVE-2006-0523 | SQL injection vulnerability in global.php in MyBB before 1.03 allows remote attackers to execute arbitrary SQL commands via the templatelist variable. | critical | 2026-04-16 |
| CVE-2006-0522 | SQL injection vulnerability in the Authentication Servlet in Symantec Sygate Management Server (SMS) version 4.1 build 1417 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via unknown attack vectors related to a URL. | critical | 2026-04-16 |
| CVE-2006-0521 | Cross-site scripting (XSS) vulnerability in results.php in BrowserCRM allows remote attackers to inject arbitrary web script or HTML via certain manipulations of the query parameter, as demonstrated using an IMG SRC tag. | medium | 2026-04-16 |
