Export limit exceeded: 45592 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 346659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346659 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11985 | 2026-04-15 | 4.4 Medium | ||
| An improper input validation vulnerability leads to device crashes in certain ASUS router models. Refer to the '12/03/2024 ASUS Router Improper Input Validation' section on the ASUS Security Advisory for more information. | ||||
| CVE-2024-11983 | 1 Billion Electric | 4 M100, M120n, M150 and 1 more | 2026-04-15 | 7.2 High |
| Certain models of routers from Billion Electric has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject arbitrary system commands into a specific SSH function and execute them on the device. | ||||
| CVE-2024-2834 | 2026-04-15 | 8.7 High | ||
| A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited. | ||||
| CVE-2024-11918 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Image Alt Text plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the iat_add_alt_txt_action and iat_update_alt_txt_action AJAX actions in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the alt text on arbitrary images. | ||||
| CVE-2023-5396 | 2026-04-15 | 7.4 High | ||
| Server receiving a malformed message creates connection for a hostname that may cause a stack overflow resulting in possible remote code execution. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2024-11906 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The TPG Get Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpg_get_posts' shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-52377 | 2026-04-15 | 5.4 Medium | ||
| Command injection vulnerability in Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below, allowing authenticated attackers to execute arbitrary commands on the device. The vulnerability is present in the web management interface's ping and traceroute functionality, specifically in the /web/um_ping_set.cgi endpoint. The application fails to properly sanitize user input in the `Ping_host_text` parameter before passing it to the underlying system command, allowing attackers to inject and execute arbitrary shell commands as the root user. | ||||
| CVE-2024-11884 | 2 Gopiplus, Wordpress | 2 Wp Photo Text Slider 50, Wordpress | 2026-04-15 | 6.4 Medium |
| The Wp photo text slider 50 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-photo-slider' shortcode in all versions up to, and including, 8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11923 | 2026-04-15 | 5.5 Medium | ||
| Under certain log settings the IAM or CORE service will log credentials in the iam logfile in Fortra Application Hub (Formerly named Helpsystems One) prior to version 1.3 | ||||
| CVE-2024-11862 | 2026-04-15 | N/A | ||
| Non constant time cryptographic operation in Devolutions.XTS.NET 2024.11.19 and earlier allows an attacker to render half of the encryption key obsolete via a timing attacks | ||||
| CVE-2024-11857 | 2026-04-15 | 7.8 High | ||
| Bluetooth HCI Adaptor from Realtek has a Link Following vulnerability. Local attackers with regular privileges can create a symbolic link with the same name as a specific file, causing the product to delete arbitrary files pointed to by the link. Subsequently, attackers can leverage arbitrary file deletion to privilege escalation. | ||||
| CVE-2024-11810 | 2026-04-15 | 6.1 Medium | ||
| The PayGreen Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message_id' parameter in all versions up to, and including, 1.0.26 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-37870 | 2026-04-15 | 8.1 High | ||
| Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.1.9. | ||||
| CVE-2023-37482 | 2026-04-15 | 5.3 Medium | ||
| The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames. | ||||
| CVE-2025-4618 | 2 Palo Alto Networks, Paloaltonetworks | 2 Prisma Browser, Prisma Browser | 2026-04-15 | N/A |
| A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser. Browser self-protection should be enabled to mitigate this issue. | ||||
| CVE-2023-37389 | 1 Saasproject | 1 Booking Package | 2026-04-15 | 8.8 High |
| Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98. | ||||
| CVE-2023-37057 | 1 Jlink | 1 Ax1800 | 2026-04-15 | 9.8 Critical |
| An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism. | ||||
| CVE-2023-37039 | 2026-04-15 | 6.5 Medium | ||
| A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allow network-adjacent attackers to crash the MME via an S1AP `Initial UE Message` packet missing an expected `RRC Establishment Clause` field. | ||||
| CVE-2023-36998 | 2026-04-15 | 8.9 High | ||
| The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core. | ||||
| CVE-2025-64367 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through <= 4.2.6. | ||||