Export limit exceeded: 349343 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349343 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12646 | 2026-04-15 | 8.1 High | ||
| The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||
| CVE-2024-12645 | 2026-04-15 | 6.5 Medium | ||
| The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system. | ||||
| CVE-2024-12636 | 2026-04-15 | 4.3 Medium | ||
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.6. This is due to missing or incorrect nonce validation on the 'create_popup_delete_process' function. This makes it possible for unauthenticated attackers to delete popups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-40160 | 2026-04-15 | 3.7 Low | ||
| Directory traversal vulnerability exists in Mailing List Search CGI (pmmls.exe) included in A.K.I Software's PMailServer/PMailServer2 products. If this vulnerability is exploited, a remote attacker may obtain arbitrary files on the server. | ||||
| CVE-2024-12626 | 2026-04-15 | 9.6 Critical | ||
| The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code. | ||||
| CVE-2023-40155 | 2026-04-15 | 6.7 Medium | ||
| Uncontrolled search path for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-40148 | 2026-04-15 | 6.5 Medium | ||
| Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests. | ||||
| CVE-2023-40004 | 2026-04-15 | 7.3 High | ||
| Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79. | ||||
| CVE-2024-12594 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to login as other users such as subscribers. | ||||
| CVE-2023-39433 | 2026-04-15 | 4.4 Medium | ||
| Improper access control for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-3943 | 2026-04-15 | 10 Critical | ||
| Stack-based Buffer Overflow vulnerability in ZkTeco-based OEM devices allows, in some cases, the execution of arbitrary code. Due to the lack of protection mechanisms such as stack canaries and PIE, it is possible to successfully execute code even under restrictive conditions. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2024-12576 | 2026-04-15 | 5.5 Medium | ||
| Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger a crash of the FW running on the GPU freezing graphics output. | ||||
| CVE-2023-3942 | 2026-04-15 | 7.5 High | ||
| An 'SQL Injection' vulnerability, due to improper neutralization of special elements used in SQL commands, exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to, in some cases, impersonate another user or perform unauthorized actions. In other instances, it enables the attacker to access user data and system parameters from the database. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other, Standalone service v. 2.1.6-20200907 and possibly others. | ||||
| CVE-2024-12564 | 2026-04-15 | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation. | ||||
| CVE-2025-67573 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6. | ||||
| CVE-2023-3941 | 2026-04-15 | 10 Critical | ||
| Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2024-12532 | 2026-04-15 | 4.3 Medium | ||
| The BWD Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.18 in widgets/bwdeb-content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-12125 | 1 Redhat | 1 Red Hat 3scale Amp | 2026-04-15 | 7.5 High |
| A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information. | ||||
| CVE-2024-12212 | 2026-04-15 | 7.8 High | ||
| The vulnerability occurs in the parsing of CSP files. The issues result from the lack of proper validation of user-supplied data, which could allow reading past the end of allocated data structures, resulting in execution of arbitrary code. | ||||
| CVE-2024-12206 | 2026-04-15 | 4.3 Medium | ||
| The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||