Export limit exceeded: 348226 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 348226 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348226 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8685 | 2 Emilien, Wordpress | 2 Wp Chart Generator, Wordpress | 2026-04-22 | 6.4 Medium |
| The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8767 | 2 Anwp, Wordpress | 2 Football Leagues, Wordpress | 2026-04-22 | 4.8 Medium |
| The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2025-56216 | 1 Phpgurukul | 1 Hospital Management System | 2026-04-22 | 8.5 High |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the pagetitle parameter. | ||||
| CVE-2025-56215 | 1 Phpgurukul | 1 Hospital Management System | 2026-04-22 | 6.5 Medium |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter. | ||||
| CVE-2025-56214 | 1 Phpgurukul | 1 Hospital Management System | 2026-04-22 | 9.8 Critical |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. | ||||
| CVE-2025-9344 | 2026-04-22 | 6.4 Medium | ||
| The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-57147 | 1 Phpgurukul | 1 Complaint Management System | 2026-04-22 | 7.5 High |
| A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php. | ||||
| CVE-2025-57146 | 1 Phpgurukul | 1 Complaint Management System | 2026-04-22 | 8.1 High |
| phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter. | ||||
| CVE-2025-9518 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-10046 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-22 | 4.9 Medium |
| The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-10049 | 2026-04-22 | 7.2 High | ||
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-6982 | 1 Tp-link | 3 Archer C50 V3, Archer C50 V4, Archer C50 V5 | 2026-04-22 | N/A |
| Use of Hard-coded Credentials in TP-Link Archer C50 V3( <= 180703)/V4( <= 250117 )/V5( <= 200407 ), and C20 V5 (<US_V5_260419 or <EU_V5_260317) allows attackers to decrypt the config.xml files. | ||||
| CVE-2025-15551 | 1 Tp-link | 8 Archer C20, Archer C20 Firmware, Archer Mr200 and 5 more | 2026-04-22 | 5.6 Medium |
| The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. | ||||
| CVE-2025-9631 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 4.3 Medium |
| The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0763 | 2 Webcodingplace, Wordpress | 2 Ultimate Classified Listings, Wordpress | 2026-04-22 | 4.3 Medium |
| The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields. | ||||
| CVE-2025-48038 | 1 Erlang | 2 Erlang\/otp, Otp | 2026-04-22 | 4.3 Medium |
| Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | ||||
| CVE-2025-48040 | 1 Erlang | 2 Erlang\/otp, Otp | 2026-04-22 | 5.3 Medium |
| Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | ||||
| CVE-2025-10166 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twitter' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10493 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 5.3 Medium |
| The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5. | ||||
| CVE-2025-10181 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||