Export limit exceeded: 346652 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346652 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13413 | 2 Soyrodriguez, Wordpress | 2 Country Blocker For Adsense, Wordpress | 2026-04-22 | 4.3 Medium |
| The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14040 | 2 Themesuite, Wordpress | 2 Automotive Car Dealership Business Wordpress Theme, Wordpress | 2026-04-22 | 6.4 Medium |
| The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13673 | 2 Themeum, Wordpress | 2 Tutor Lms – Elearning And Online Course Solution, Wordpress | 2026-04-22 | 7.5 High |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6. | ||||
| CVE-2026-33634 | 4 Aquasec, Aquasecurity, Litellm and 1 more | 8 Setup-trivy, Trivy, Trivy Action and 5 more | 2026-04-22 | 8.8 High |
| Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. | ||||
| CVE-2026-35616 | 1 Fortinet | 1 Forticlientems | 2026-04-22 | 9.1 Critical |
| A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. | ||||
| CVE-2026-3466 | 1 Checkmk | 1 Checkmk | 2026-04-22 | 5.4 Medium |
| Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. | ||||
| CVE-2026-34621 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2026-04-22 | 8.6 High |
| Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-6747 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 7.5 High |
| Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | ||||
| CVE-2026-6783 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 5.3 Medium |
| Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6782 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 7.5 High |
| Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6779 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 5.3 Medium |
| Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6775 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 5.3 Medium |
| Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6774 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 5.4 Medium |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6773 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 7.5 High |
| Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-33791 | 2 Juniper, Juniper Networks | 4 Junos, Junos Os Evolved, Junos Os and 1 more | 2026-04-22 | 6.7 Medium |
| An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S7-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | ||||
| CVE-2025-70364 | 1 Kiamo | 1 Kiamo | 2026-04-22 | 8.8 High |
| An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4. | ||||
| CVE-2026-6748 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 9.8 Critical |
| Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | ||||
| CVE-2017-20235 | 1 Prosoft-technology | 2 Icx35-hwc, Icx35-hwc Firmware | 2026-04-22 | 8.8 High |
| ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability in the web user interface that allows unauthenticated attackers to gain access to administrative functions without valid credentials. Attackers can bypass the authentication mechanism in affected firmware versions to obtain full administrative access to device configuration and settings. | ||||
| CVE-2026-4369 | 1 Autodesk | 1 Fusion | 2026-04-22 | 7.1 High |
| A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | ||||
| CVE-2017-20236 | 1 Prosoft-technology | 2 Icx35-hwc, Icx35-hwc Firmware | 2026-04-22 | 9.8 Critical |
| ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability in the web user interface that allows remote attackers to inject and execute system commands by submitting malicious input through unvalidated fields. Attackers can exploit this vulnerability to gain root privileges and execute arbitrary commands on the device through the accessible web interface. | ||||