Export limit exceeded: 342311 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 342311 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342311 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5185 | 1 Nothings | 1 Stb Image | 2026-04-01 | 5.3 Medium |
| A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4146 | 2 Timwhitlock, Wordpress | 2 Loco Translate, Wordpress | 2026-04-01 | 6.1 Medium |
| The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-14213 | 1 Cato Networks | 1 Socket | 2026-04-01 | N/A |
| Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system. | ||||
| CVE-2026-24030 | 1 Powerdns | 1 Dnsdist | 2026-04-01 | 5.3 Medium |
| An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process. | ||||
| CVE-2026-0396 | 1 Powerdns | 1 Dnsdist | 2026-04-01 | 3.1 Low |
| An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. | ||||
| CVE-2026-0397 | 1 Powerdns | 1 Dnsdist | 2026-04-01 | 3.1 Low |
| When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy. | ||||
| CVE-2026-34202 | 1 Zcashfoundation | 2 Zebra, Zebra-chain | 2026-04-01 | N/A |
| ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1. | ||||
| CVE-2025-10553 | 1 Dassault Systèmes | 1 Delmia Factory Resource Manager | 2026-04-01 | 8.7 High |
| A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-10559 | 1 Dassault Systèmes | 1 Delmia Factory Resource Manager | 2026-04-01 | 7.1 High |
| A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server. | ||||
| CVE-2025-41357 | 1 Anon Proxy Server | 1 Anon Proxy Server | 2026-04-01 | N/A |
| Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagdns.php' endpoint. | ||||
| CVE-2026-0596 | 1 Mlflow | 1 Mlflow | 2026-04-01 | N/A |
| A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users. | ||||
| CVE-2025-15618 | 1 Mock | 1 Business::onlinepayment::storedtransaction | 2026-04-01 | 9.1 Critical |
| Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data. | ||||
| CVE-2026-1834 | 2 Vowelweb, Wordpress | 2 Ibtana – Wordpress Website Builder, Wordpress | 2026-04-01 | 6.4 Medium |
| The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1877 | 2 Johnh10, Wordpress | 2 Auto Post Scheduler, Wordpress | 2026-04-01 | 6.1 Medium |
| The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-41355 | 1 Anon Proxy Server | 1 Anon Proxy Server | 2026-04-01 | N/A |
| Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'port' and 'proxyPort' parameters in '/anon.php' endpoint. | ||||
| CVE-2025-41356 | 1 Anon Proxy Server | 1 Anon Proxy Server | 2026-04-01 | N/A |
| Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagconnect.php' endpoint. | ||||
| CVE-2026-24028 | 1 Powerdns | 1 Dnsdist | 2026-04-01 | 5.3 Medium |
| An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure. | ||||
| CVE-2026-22561 | 1 Anthropic | 1 Claude Desktop | 2026-04-01 | N/A |
| Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer. | ||||
| CVE-2026-24029 | 1 Powerdns | 1 Dnsdist | 2026-04-01 | 6.5 Medium |
| When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. | ||||
| CVE-2026-4267 | 2 Johnbillion, Wordpress | 2 Query Monitor – The Developer Tools Panel For Wordpress, Wordpress | 2026-04-01 | 7.2 High |
| The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||