Export limit exceeded: 344983 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344983 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6409 | 2026-04-16 | N/A | ||
| A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability. | ||||
| CVE-2026-40786 | 2 Long Watch Studio, Wordpress | 2 Myrewards, Wordpress | 2026-04-16 | 4.3 Medium |
| Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3. | ||||
| CVE-2026-40778 | 2 Majesticsupport, Wordpress | 2 Majestic Support, Wordpress | 2026-04-16 | 5.3 Medium |
| Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Majestic Support: from n/a through <= 1.1.2. | ||||
| CVE-2026-40763 | 2 Wordpress, Wp Royal | 2 Wordpress, Royal Elementor Addons | 2026-04-16 | 5.3 Medium |
| Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056. | ||||
| CVE-2026-40744 | 2 Wordpress, Wpbeaverbuilder | 2 Wordpress, Beaver Builder | 2026-04-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2. | ||||
| CVE-2026-40740 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-04-16 | 5.4 Medium |
| Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7. | ||||
| CVE-2026-40734 | 2 Wordpress, Zahlan | 2 Wordpress, Categories Images | 2026-04-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1. | ||||
| CVE-2026-40729 | 2 Bplugins, Wordpress | 2 3d Viewer – Embed 3d Models, Wordpress | 2026-04-16 | 4.3 Medium |
| Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Models: from n/a through <= 1.8.5. | ||||
| CVE-2026-40104 | 1 Xwiki | 2 Xwiki-platform-legacy-oldcore, Xwiki-platform-oldcore | 2026-04-16 | 8.2 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1. | ||||
| CVE-2026-37344 | 2026-04-16 | N/A | ||
| SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php. | ||||
| CVE-2026-37343 | 2026-04-16 | N/A | ||
| SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php. | ||||
| CVE-2026-37342 | 2026-04-16 | N/A | ||
| SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php. | ||||
| CVE-2026-37341 | 2026-04-16 | N/A | ||
| SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php. | ||||
| CVE-2026-37339 | 2026-04-16 | N/A | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php. | ||||
| CVE-2026-37337 | 2026-04-16 | N/A | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php. | ||||
| CVE-2026-37336 | 2026-04-16 | N/A | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php. | ||||
| CVE-2026-33804 | 2026-04-16 | 7.4 High | ||
| @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option. | ||||
| CVE-2026-30993 | 1 Slah Cms | 1 Slah Cms | 2026-04-16 | 9.8 Critical |
| Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input. | ||||
| CVE-2026-30625 | 1 Upsonic | 1 Upsonic | 2026-04-16 | 9.8 Critical |
| Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags that enable execution of arbitrary OS commands. Maliciously crafted MCP tasks may lead to remote code execution with the privileges of the Upsonic process. In version 0.72.0 Upsonic added a warning about using Stdio servers being able to execute commands directly on the machine. | ||||
| CVE-2026-30461 | 1 Daylightstudio | 1 Fuel Cms | 2026-04-16 | 8.3 High |
| Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | ||||