Export limit exceeded: 338086 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (338086 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5336 | 2025-06-17 | 6.4 Medium | ||
| The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6061 | 2025-06-17 | 6.4 Medium | ||
| The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6063 | 2025-06-17 | 6.1 Medium | ||
| The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-4667 | 2025-06-17 | 6.4 Medium | ||
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5238 | 2025-06-17 | 6.4 Medium | ||
| The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-28583 | 1 Qualcomm | 60 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 57 more | 2025-06-17 | 6.7 Medium |
| Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address. | ||||
| CVE-2024-0184 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2025-06-17 | 2.4 Low |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/edit_teacher.php of the component Add Enginer. The manipulation of the argument Firstname/Lastname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249442 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-6583 | 1 Codection | 1 Import And Export Users And Customers | 2025-06-17 | 6.6 Medium |
| The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information. | ||||
| CVE-2024-31815 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-06-17 | 9.1 Critical |
| In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | ||||
| CVE-2024-24279 | 1 Secdiskapp | 1 Secdiskapp | 2025-06-17 | 8.8 High |
| An issue in secdiskapp 1.5.1 (management program for NewQ Fingerprint Encryption Super Speed Flash Disk) allows attackers to gain escalated privileges via vsVerifyPassword and vsSetFingerPrintPower functions. | ||||
| CVE-2024-21507 | 2 Mysqljs, Sidorares | 2 Mysql2, Mysql2 | 2025-06-17 | 6.5 Medium |
| Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key. | ||||
| CVE-2024-7562 | 2025-06-17 | N/A | ||
| A potential elevated privilege issue has been reported with InstallShield built Standalone MSI setups having multiple InstallScript custom actions configured. All supported versions (InstallShield 2023 R2, InstallShield 2022 R2 and InstallShield 2021 R2) are affected by this issue. | ||||
| CVE-2025-39240 | 2025-06-17 | 7.2 High | ||
| Some Hikvision Wireless Access Point are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | ||||
| CVE-2025-22242 | 2025-06-17 | 5.6 Medium | ||
| Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system. | ||||
| CVE-2025-22241 | 2025-06-17 | 5.6 Medium | ||
| File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration. | ||||
| CVE-2024-13772 | 1 Uxper | 1 Civi | 2025-06-17 | 5.6 Medium |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email. | ||||
| CVE-2023-52285 | 1 Lrx0014 | 1 Examsys | 2025-06-17 | 7.5 High |
| ExamSys 9150244 allows SQL Injection via the /Support/action/Pages.php s_score2 parameter. | ||||
| CVE-2023-28197 | 1 Apple | 1 Macos | 2025-06-17 | 3.3 Low |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4. An app may be able to access user-sensitive data. | ||||
| CVE-2022-46721 | 1 Apple | 1 Macos | 2025-06-17 | 7.8 High |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2022-40361 | 1 Elitecms | 1 Elite Cms | 2025-06-17 | 6.1 Medium |
| Cross Site Scripting Vulnerability in Elite CRM v1.2.11 allows attacker to execute arbitrary code via the language parameter to the /ngs/login endpoint. | ||||