Export limit exceeded: 344873 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344873 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2409 | 1 Delinea | 1 Cloud Suite | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1. | ||||
| CVE-2025-30076 | 1 Koha | 1 Koha | 2026-04-15 | 7.7 High |
| Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. | ||||
| CVE-2025-30077 | 2026-04-15 | 6.2 Medium | ||
| Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits. | ||||
| CVE-2024-34556 | 2026-04-15 | N/A | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.5.4. | ||||
| CVE-2025-10730 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-3008 | 2026-04-15 | 5.5 Medium | ||
| A vulnerability classified as critical has been found in Novastar CX40 up to 2.44.0. Affected is the function system/popen of the file /usr/nova/bin/netconfig of the component NetFilter Utility. The manipulation leads to command injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-30089 | 2026-04-15 | 5.4 Medium | ||
| gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences. | ||||
| CVE-2025-58637 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in immonex immonex Kickstart immonex-kickstart allows PHP Local File Inclusion.This issue affects immonex Kickstart: from n/a through <= 1.11.6. | ||||
| CVE-2020-36853 | 2 10web, Wordpress | 2 Map Builder For Google Maps, Wordpress | 2026-04-15 | 7.2 High |
| The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10740 | 2 Rupok98, Wordpress | 2 Url Shortener Plugin For Wordpress, Wordpress | 2026-04-15 | 6.3 Medium |
| The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links. | ||||
| CVE-2025-3009 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability classified as critical was found in Jinher Network OA C6. Affected by this vulnerability is an unknown functionality of the file /C6/JHSoft.Web.NetDisk/NetDiskProperty.aspx. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-30090 | 1 Squirrelmail | 1 Squirrelmail | 2026-04-15 | 7.2 High |
| mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true. | ||||
| CVE-2025-30091 | 2026-04-15 | N/A | ||
| In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed. | ||||
| CVE-2025-30092 | 2026-04-15 | 6.1 Medium | ||
| Intrexx Portal Server 12.x <= 12.0.2 and 11.x <= 11.9.2 allows XSS in multiple Velocity scripts. | ||||
| CVE-2026-24332 | 1 Discord | 1 Discord | 2026-04-15 | 4.3 Medium |
| Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | ||||
| CVE-2025-30095 | 2026-04-15 | 9 Critical | ||
| VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the SSH daemon. I n VyOS, this is not the default configuration for the system SSH daemon, but is for the console service. To mitigate this, one can run "rm -f /etc/dropbear/*key*" and/or "rm -f /etc/dropbear-initramfs/*key*" and then dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key and reload the service or reboot the system before using Dropbear as the SSH daemon (this clears out all keys mistakenly built into the release image) or update to the latest version of VyOS 1.4 or 1.5. Note that this vulnerability is not unique to VyOS and may appear in any Debian-based Linux distribution that uses Dropbear in combination with live-build, which has a safeguard against this behavior in OpenSSH but no equivalent one for Dropbear. | ||||
| CVE-2026-24356 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0. | ||||
| CVE-2026-24357 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4. | ||||
| CVE-2026-24358 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-04-15 | 8.8 High |
| Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. | ||||
| CVE-2026-24383 | 2 Bplugins, Wordpress | 2 B Slider, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through <= 2.0.6. | ||||