Export limit exceeded: 345459 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345459 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345459 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39467 | 2026-04-21 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0. | ||||
| CVE-2026-41082 | 1 Ocaml | 1 Ocaml | 2026-04-21 | 7.3 High |
| In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. | ||||
| CVE-2026-3308 | 1 Artifex | 1 Mupdf | 2026-04-21 | 7.8 High |
| An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution. | ||||
| CVE-2025-13826 | 1 Zervit | 1 Portable Http Web Server | 2026-04-21 | N/A |
| Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application. | ||||
| CVE-2026-3317 | 1 Navigate | 1 Navigate Cms | 2026-04-21 | N/A |
| Reflected Cross-Site Scripting (XSS) vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker to execute JavaScript code in the victim's browser. | ||||
| CVE-2026-35616 | 1 Fortinet | 1 Forticlientems | 2026-04-21 | 9.1 Critical |
| A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. | ||||
| CVE-2026-6712 | 2026-04-21 | 4.4 Medium | ||
| The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-6711 | 2026-04-21 | 6.1 Medium | ||
| The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filter_input() without a sanitization filter and insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-6703 | 2026-04-21 | 4.3 Medium | ||
| The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior. | ||||
| CVE-2026-31370 | 2026-04-21 | 6.3 Medium | ||
| Honor E APP is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2026-31369 | 2026-04-21 | 3.2 Low | ||
| PcManager is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability | ||||
| CVE-2026-31368 | 2026-04-21 | 7.8 High | ||
| AiAssistant is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability. | ||||
| CVE-2026-5965 | 2026-04-21 | 9.8 Critical | ||
| NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. | ||||
| CVE-2025-7367 | 2 Wordpress, Wpchill | 2 Wordpress, Strong Testimonials | 2026-04-21 | 6.4 Medium |
| The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4369 | 2026-04-21 | 5.5 Medium | ||
| The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-21622 | 2 Hex, Hexpm | 2 Hexpm, Hexpm | 2026-04-21 | 9.8 Critical |
| Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced. If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email. This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884. | ||||
| CVE-2023-6955 | 1 Gitlab | 1 Gitlab | 2026-04-21 | 6.6 Medium |
| A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. | ||||
| CVE-2024-0402 | 1 Gitlab | 1 Gitlab | 2026-04-21 | 9.9 Critical |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. | ||||
| CVE-2023-4647 | 1 Gitlab | 1 Gitlab | 2026-04-21 | 5.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances. | ||||
| CVE-2023-4630 | 1 Gitlab | 1 Gitlab | 2026-04-21 | 5 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports. | ||||