Export limit exceeded: 346359 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 29902 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9950 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49351 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS.This issue affects Create Posts & Terms: from n/a through <= 1.3.1. | ||||
| CVE-2019-25359 | 1 Sitzungsdienst | 1 Sd.net Rim | 2026-04-15 | 8.2 High |
| SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/ endpoint, enabling unauthorized database manipulation and potential information disclosure. | ||||
| CVE-2025-24289 | 2026-04-15 | N/A | ||
| A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default. | ||||
| CVE-2024-12557 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Transporters.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-35773 | 2026-04-15 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in WPJohnny, zerOneIT Comment Reply Email allows Cross-Site Scripting (XSS).This issue affects Comment Reply Email: from n/a through 1.3. | ||||
| CVE-2024-12554 | 2026-04-15 | 5.4 Medium | ||
| The Peter’s Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing nonce validation on the cas_register_post() function. This makes it possible for unauthenticated attackers to blacklist emails via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-41723 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 9.8 Critical |
| The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations. | ||||
| CVE-2025-24358 | 2026-04-15 | N/A | ||
| gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2. | ||||
| CVE-2024-36677 | 2026-04-15 | 7.5 High | ||
| In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen. | ||||
| CVE-2024-1785 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| The Contests by Rewards Fuel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.62. This is due to missing or incorrect nonce validation on the ajax_handler() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site's user with the edit_posts capability into performing an action such as clicking on a link. | ||||
| CVE-2024-12056 | 1 Arcinfo | 1 Pcvue | 2026-04-15 | N/A |
| The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges. | ||||
| CVE-2024-36682 | 2026-04-15 | 7.5 High | ||
| In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is enable which can lead to leak of personal information. | ||||
| CVE-2024-32450 | 2026-04-15 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team WpTravelly.This issue affects WpTravelly: from n/a through 1.6.0. | ||||
| CVE-2024-31388 | 2026-04-15 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Pauple Table & Contact Form 7 Database – Tablesome.This issue affects Table & Contact Form 7 Database – Tablesome: from n/a through 1.0.25. | ||||
| CVE-2024-8489 | 1 Modelscope | 1 Agentscope | 2026-04-15 | N/A |
| A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. This issue affects the latest commit on the main branch (21161fe). The vulnerability permits an attacker to access all backend endpoints, including the `api/file` endpoint, enabling the reading of arbitrary files on the target's local file system through CSRF. | ||||
| CVE-2025-11087 | 2 Wordpress, Zozothemes | 2 Wordpress, Zegen | 2026-04-15 | 8.8 High |
| The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-41972 | 2026-04-15 | 6.5 Medium | ||
| A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges. | ||||
| CVE-2025-35981 | 1 Gallagher | 1 Command Centre | 2026-04-15 | 5.5 Medium |
| Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Server allows a privileged Operator to view limited personal data about a Cardholder they would not normally have permissions to view. This issue affects Command Centre Server: 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6). | ||||
| CVE-2024-24336 | 2 Koha, Koha-community | 2 Koha, Koha Library Software | 2026-04-15 | 8.1 High |
| A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. | ||||
| CVE-2024-39163 | 2026-04-15 | 8.8 High | ||
| binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints. | ||||