Export limit exceeded: 346758 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346758 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25357 | 2 Azzaroco, Wordpress | 2 Ultimate Membership Pro, Wordpress | 2026-04-24 | 8.1 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7. | ||||
| CVE-2026-25358 | 2 Rascals, Wordpress | 2 Meloo, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2. | ||||
| CVE-2026-25361 | 2 Magepeopleteam, Wordpress | 2 Wpevently, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4. | ||||
| CVE-2026-25365 | 2 Wordpress, Özgür Karalar | 2 Wordpress, Kargo Takip | 2026-04-24 | 6.5 Medium |
| Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4. | ||||
| CVE-2026-25366 | 2 Themeisle, Wordpress | 2 Woody Ad Snippets, Wordpress | 2026-04-24 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1. | ||||
| CVE-2026-25371 | 2 King-theme, Wordpress | 2 Lumise Product Designer, Wordpress | 2026-04-24 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9. | ||||
| CVE-2026-4066 | 2 Inc2734, Wordpress | 2 Smart Custom Fields, Wordpress | 2026-04-24 | 4.3 Medium |
| The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post. | ||||
| CVE-2026-4766 | 2 Devrix, Wordpress | 2 Easy Image Gallery, Wordpress | 2026-04-24 | 6.4 Medium |
| The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4783 | 1 Itsourcecode | 1 College Management System | 2026-04-24 | 6.3 Medium |
| A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/add-single-student-results.php of the component Parameter Handler. The manipulation of the argument course_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4530 | 1 Apconw | 1 Aix-db | 2026-04-24 | 5.3 Medium |
| A security flaw has been discovered in apconw Aix-DB up to 1.2.3. This impacts an unknown function of the file agent/text2sql/rag/terminology_retriever.py. Performing a manipulation of the argument Description results in sql injection. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4550 | 1 Code-projects | 1 Simple Gym Management System | 2026-04-24 | 4.7 Medium |
| A vulnerability has been found in code-projects Simple Gym Management System up to 1.0. This affects an unknown part of the file /gym/func.php. Such manipulation of the argument Trainer_id/fname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4584 | 1 Shenzhen Hcc Technology | 1 Mpos M6 Plus | 2026-04-24 | 3.1 Low |
| A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10731 | 2 Reviewx, Wordpress | 2 Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema, Wordpress | 2026-04-24 | 5.3 Medium |
| The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for unauthenticated attackers to obtain authentication tokens and subsequently bypass admin restrictions to access and export sensitive data including order details, names, emails, addresses, phone numbers, and user information. | ||||
| CVE-2026-4531 | 1 Free5gc | 1 Free5gc | 2026-04-24 | 5.3 Medium |
| A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to denial of service. The attack may be performed from remote. This patch is called 52e9386401ce56ea773c5aa587d4cdf7d53da799. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2025-10736 | 2 Reviewx, Wordpress | 2 Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema, Wordpress | 2026-04-24 | 6.5 Medium |
| The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration | ||||
| CVE-2026-4537 | 1 Cudy | 1 Tr1200 | 2026-04-24 | 4.7 Medium |
| A vulnerability was determined in Cudy TR1200 R46-2.4.15-20250721-164017. Impacted is the function action_ipsec_conn of the file /usr/bin/lib/lua/luci/controller/ipsec.lua. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4539 | 1 Pygments | 1 Pygments | 2026-04-24 | 3.3 Low |
| A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-4540 | 1 Projectworlds | 1 Online Notes Sharing Platform | 2026-04-24 | 7.3 High |
| A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | ||||
| CVE-2026-4542 | 1 Sscms | 1 Sscms | 2026-04-24 | 5.4 Medium |
| A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the argument filePaths leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4549 | 1 Mickasmt | 1 Next-saas-stripe-starter | 2026-04-24 | 3.1 Low |
| A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult. | ||||