Export limit exceeded: 341342 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341342 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341342 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341342 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42718 | 1 Replicated | 1 Replicated Classic | 2025-07-13 | 4.9 Medium |
| Information Disclosure in API in Replicated Replicated Classic versions prior to 2.53.1 on all platforms allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container definitions with environment variables through the Admin Console API on port 8800. This CVE was originally reserved in 2021 and later publicly disclosed by Replicated on their website on 21 October 2021. However, it mistakenly remained in the Reserved But Public (RBP) status with the CVE Numbering Authority (CNA). Please note that this product reached its end of life on 31 December 2024. Publishing this CVE with the CNA was required to comply with CNA rules, despite the fact that the issue was disclosed and fixed four years ago, and the affected product is no longer supported as of 2024. Summary of VulnerabilityThis advisory discloses a low severity security vulnerability in the versions of Replicated Classic listed above (“Affected Replicated Classic Versions”) DescriptionReplicated Classic versions prior to 2.53.1 have an authenticated API from the Replicated Admin Console that may expose sensitive data including application secrets, depending on how the application manifests are written. A user with valid credentials and access to the Admin Console port (8800) on the Replicated Classic server can retrieve container definitions including environment variables which may contain passwords and other secrets depending on how the application is configured. This data is shared over authenticated sessions to the Admin Console only, and was never displayed or used in the application processing. To remediate this issue, we removed the sensitive data from the API, sending only the data to the Admin Console that was needed. TimelineThis issue was discovered during a security review on 16 September 2021. Patched versions were released on 23 September 2021. This advisory was published on 21 October 2021. The CVE Numbering Authority (CNA) notified Replicated on 23 January 2025 that the CVE was still in Reserved But Public (RBP) status. Upon discovering the oversight in updating the status to published with the CNA, Replicated submitted the updated report on the same day, 23 January 2025. | ||||
| CVE-2025-32287 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Responsive HTML5 Audio Player PRO With Playlist allows SQL Injection. This issue affects Responsive HTML5 Audio Player PRO With Playlist: from n/a through 3.5.7. | ||||
| CVE-2024-12519 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.4 Medium |
| The TCBD Auto Refresher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd_auto_refresh' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-51778 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Starfish Reviews Satisfaction Reports from Help Scout allows Reflected XSS.This issue affects Satisfaction Reports from Help Scout: from n/a through 2.0.3. | ||||
| CVE-2023-52943 | 1 Synology | 1 Surveillance Station | 2025-07-13 | 4.3 Medium |
| Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors. | ||||
| CVE-2024-10895 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.4 Medium |
| The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lgx-counter' shortcode in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-26575 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta allows Reflected XSS. This issue affects Display Post Meta: from n/a through 2.4.4. | ||||
| CVE-2024-53730 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Aaron Hodge Silver April's Call Posts allows Stored XSS. This issue affects April's Call Posts: from n/a through 2.1.1. | ||||
| CVE-2024-47642 | 2 Keap, Wordpress | 2 Keap Official Opt In Forms, Wordpress | 2025-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 2.0.1. | ||||
| CVE-2024-34768 | 2 Fastly, Wordpress | 2 Fastly, Wordpress | 2025-07-13 | 5.3 Medium |
| Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25. | ||||
| CVE-2024-4083 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.3 Medium |
| The Easy Restaurant Table Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-31752 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.3 Medium |
| Missing Authorization vulnerability in termel Bulk Fields Editor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Fields Editor: from n/a through 1.8.0. | ||||
| CVE-2024-13815 | 2 Themographics, Wordpress | 2 Listingo, Wordpress | 2025-07-13 | 6.5 Medium |
| The The Listingo theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-54397 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Antonio Gocaj Go Animate allows Stored XSS.This issue affects Go Animate: from n/a through 1.0. | ||||
| CVE-2024-12814 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.4 Medium |
| The Loan Comparison plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'loancomparison' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-47863 | 1 Centreon | 1 Centreon Web | 2025-07-13 | 6.2 Medium |
| An issue was discovered in Centreon Web 24.10.x before 24.10.0, 24.04.x before 24.04.8, 23.10.x before 23.10.18, 23.04.x before 23.04.23, and 22.10.x before 22.10.26. A stored XSS was found in the user configuration contact name field. This form is only accessible to authenticated users with high-privilege access. | ||||
| CVE-2024-12848 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 8.8 High |
| The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible. | ||||
| CVE-2024-30561 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scientech It Solution Appointment Calendar allows Reflected XSS.This issue affects Appointment Calendar: from n/a through 2.9.6. | ||||
| CVE-2024-56224 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ledenbeheer allows Stored XSS.This issue affects Ledenbeheer: from n/a through 2.1.0. | ||||
| CVE-2025-23646 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt Brooks Library Instruction Recorder allows Reflected XSS. This issue affects Library Instruction Recorder: from n/a through 1.1.4. | ||||