Export limit exceeded: 348998 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348998 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12517 | 2026-04-15 | 6.4 Medium | ||
| The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cart_button' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12520 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Dominion – Domain Checker for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dominion_shortcodes_domain_search_6' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12523 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The States Map US plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'states_map' shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-3940 | 2026-04-15 | 7.5 High | ||
| Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to access any file on the system. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2024-12530 | 2026-04-15 | N/A | ||
| Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application. | ||||
| CVE-2025-67564 | 2 Alekv, Wordpress | 2 Pixel Manager For Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in alekv Pixel Manager for WooCommerce woocommerce-google-adwords-conversion-tracking-tag allows Retrieve Embedded Sensitive Data.This issue affects Pixel Manager for WooCommerce: from n/a through <= 1.51.1. | ||||
| CVE-2024-12100 | 2026-04-15 | 6.1 Medium | ||
| The Bitcoin Lightning Publisher for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-12077 | 2026-04-15 | 6.1 Medium | ||
| The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-12076 | 2026-04-15 | 6.1 Medium | ||
| The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the resync_carousel(), seek_snapshot(), uploaded_cc(), and remove_cc() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-12083 | 2026-04-15 | 6.6 Medium | ||
| Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products. | ||||
| CVE-2025-50740 | 2026-04-15 | 6.1 Medium | ||
| AutoConnect 1.4.2, an Arduino library, is vulnerable to a cross site scripting (xss) vulnerability. The AutoConnect web interface /_ac/config allows HTML/JS code to be executed via a crafted network SSID. | ||||
| CVE-2024-12057 | 1 Arcinfo | 1 Pcvue | 2026-04-15 | N/A |
| User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end. By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application. | ||||
| CVE-2024-12021 | 2026-04-15 | N/A | ||
| Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting. | ||||
| CVE-2024-1202 | 2026-04-15 | 9.8 Critical | ||
| Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported. | ||||
| CVE-2024-12014 | 2026-04-15 | N/A | ||
| Path Traversal vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers. | ||||
| CVE-2024-11985 | 2026-04-15 | 4.4 Medium | ||
| An improper input validation vulnerability leads to device crashes in certain ASUS router models. Refer to the '12/03/2024 ASUS Router Improper Input Validation' section on the ASUS Security Advisory for more information. | ||||
| CVE-2024-11983 | 1 Billion Electric | 4 M100, M120n, M150 and 1 more | 2026-04-15 | 7.2 High |
| Certain models of routers from Billion Electric has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject arbitrary system commands into a specific SSH function and execute them on the device. | ||||
| CVE-2024-11918 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Image Alt Text plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the iat_add_alt_txt_action and iat_update_alt_txt_action AJAX actions in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the alt text on arbitrary images. | ||||
| CVE-2023-5396 | 2026-04-15 | 7.4 High | ||
| Server receiving a malformed message creates connection for a hostname that may cause a stack overflow resulting in possible remote code execution. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2024-11906 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The TPG Get Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpg_get_posts' shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||