Export limit exceeded: 10586 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10586 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29997 | 2026-04-15 | N/A | ||
| This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts. | ||||
| CVE-2024-12711 | 2 Wordpress, Wpchill | 2 Wordpress, Rsvp And Event Management | 2026-04-15 | 5.3 Medium |
| The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders. | ||||
| CVE-2024-12862 | 1 Opentext | 1 Content Server | 2026-04-15 | N/A |
| Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4. | ||||
| CVE-2024-35685 | 1 Anders Noren | 1 Radcliffe 2 | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Anders Norén Radcliffe 2.This issue affects Radcliffe 2: from n/a through 2.0.17. | ||||
| CVE-2024-35686 | 1 Automattic | 2 Sensei Lms, Sensei Pro | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Automattic Sensei LMS, Automattic Sensei Pro (WC Paid Courses).This issue affects Sensei LMS: from n/a through 4.23.1; Sensei Pro (WC Paid Courses): from n/a through 4.23.1.1.23.1. | ||||
| CVE-2024-12881 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eos_plugin_reviews_restore_version() function in all versions up to, and including, 0.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files leveraging files included locally. | ||||
| CVE-2024-51425 | 1 Ethereum | 1 Ethereum | 2026-04-15 | 8.8 High |
| An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||||
| CVE-2024-13367 | 2026-04-15 | 6.5 Medium | ||
| The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download an entire copy of a sandbox environment which can contain sensitive information like the wp-config.php file. | ||||
| CVE-2024-39625 | 1 Icegram | 1 Icegram | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | ||||
| CVE-2024-3626 | 2026-04-15 | 4.3 Medium | ||
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. This makes it possible for authenticated attackers, with subscriber access and above, to obtain the contents of private and password-protected posts. | ||||
| CVE-2024-1371 | 1 Wordpress | 2 Leadconnector, Wordpress | 2026-04-15 | 6.5 Medium |
| The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2024-34378 is likely a duplicate of this issue. | ||||
| CVE-2024-13717 | 2 Vcita, Wordpress | 2 Contact Form And Calls To Action By Vcita, Wordpress | 2026-04-15 | 4.3 Medium |
| The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to enabled and disable widgets. | ||||
| CVE-2024-13747 | 2026-04-15 | 4.3 Medium | ||
| The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query. | ||||
| CVE-2024-13767 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2024-4138 | 1 Sap | 1 S/4 Hana | 2026-04-15 | 4.3 Medium |
| Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of the application. Confidentiality and Availability are not affected. | ||||
| CVE-2024-13947 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2026-04-15 | 6 Medium |
| Device commissioning parameters in ASPECT may be modified by an external source if administrative credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||||
| CVE-2024-4139 | 2026-04-15 | 4.3 Medium | ||
| Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application. Confidentiality and Availability are not affected. | ||||
| CVE-2024-41617 | 1 Moneymanagerex | 1 Money Manager Ex Webapp | 2026-04-15 | 9.8 Critical |
| Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution. | ||||
| CVE-2024-53605 | 1 Handcent | 1 Nextcms | 2026-04-15 | 7.5 High |
| Incorrect access control in the component content://com.handcent.messaging.provider.MessageProvider/ of Handcent NextSMS v10.9.9.7 allows attackers to access sensitive data. | ||||
| CVE-2024-1688 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Woo Total Sales plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_orders_archive() function in all versions up to, and including, 3.1.4. This makes it possible for unauthenticated attackers to retrieve sales reports for the store. | ||||