Export limit exceeded: 349431 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 349431 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 349431 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349431 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3226 | 2 Thimpress, Wordpress | 2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress | 2026-04-22 | 4.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests. | ||||
| CVE-2026-3657 | 2 Premio, Wordpress | 2 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu), Wordpress | 2026-04-22 | 7.5 High |
| The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database. | ||||
| CVE-2026-3956 | 1 Xierongwkhd | 1 Weimai-wetapp | 2026-04-22 | 4.7 Medium |
| A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3959 | 1 0xkoda | 1 Wiremcp | 2026-04-22 | 5.3 Medium |
| A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e. Impacted is the function server.tool of the file index.js of the component Tshark CLI Command Handler. The manipulation results in os command injection. The attack needs to be approached locally. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3962 | 1 Jcharis | 1 Machine-learning-web-apps | 2026-04-22 | 4.3 Medium |
| A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-3964 | 1 Openakita | 1 Openakita | 2026-04-22 | 5.3 Medium |
| A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3965 | 1 Whyour | 1 Qinglong | 2026-04-22 | 6.3 Medium |
| A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional. | ||||
| CVE-2026-3966 | 1 648540858 | 1 Wvp-gb28181-pro | 2026-04-22 | 6.3 Medium |
| A vulnerability was detected in 648540858 wvp-GB28181-pro up to 2.7.4-20260107. Affected by this vulnerability is the function getDownloadFilePath of the file /src/main/java/com/genersoft/iot/vmp/media/abl/ABLMediaNodeServerService.java of the component IP Address Handler. The manipulation of the argument MediaServer.streamIp results in server-side request forgery. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3984 | 1 Campcodes | 1 Division Regional Athletic Meet Game Result Matrix System | 2026-04-22 | 3.5 Low |
| A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. This manipulation of the argument a_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-3992 | 1 Codegenieapp | 1 Serverless-express | 2026-04-22 | 6.3 Medium |
| A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4009 | 1 Jarikomppa | 1 Soloud | 2026-04-22 | 3.3 Low |
| A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommended to address this issue. It is recommended to upgrade the affected component. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-32370 | 2 Raratheme, Wordpress | 2 Influencer, Wordpress | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Influencer influencer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Influencer: from n/a through <= 1.1.7. | ||||
| CVE-2026-32368 | 2 Delphiknight, Wordpress | 2 Geo To Lat, Wordpress | 2026-04-22 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19. | ||||
| CVE-2026-32366 | 2 Robfelty, Wordpress | 2 Collapsing Categories, Wordpress | 2026-04-22 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects Collapsing Categories: from n/a through <= 3.0.9. | ||||
| CVE-2026-32364 | 2 Redqteam, Wordpress | 2 Turbo Manager, Wordpress | 2026-04-22 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue affects Turbo Manager: from n/a through < 4.0.8. | ||||
| CVE-2026-32363 | 2 Funlus Oy, Wordpress | 2 Wplifecycle, Wordpress | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLifeCycle: from n/a through <= 3.3.1. | ||||
| CVE-2026-32361 | 2 Marketing Fire, Wordpress | 2 Editorial Calendar, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0. | ||||
| CVE-2026-32360 | 2 Richplugins, Wordpress | 2 Rich Showcase For Google Reviews, Wordpress | 2026-04-22 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3. | ||||
| CVE-2026-32356 | 2 Robosoft, Wordpress | 2 Robo Gallery, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.This issue affects Robo Gallery: from n/a through <= 5.1.2. | ||||
| CVE-2026-32352 | 2 Elementor, Wordpress | 2 Elementor Website Builder, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows DOM-Based XSS.This issue affects Elementor Website Builder: from n/a through <= 3.35.5. | ||||