Export limit exceeded: 344767 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344767 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344767 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13394 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-36107 | 1 Minio | 1 Minio | 2026-04-15 | 5.3 Medium |
| MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue. | ||||
| CVE-2024-13396 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionless_form' shortcode[s] in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-39625 | 1 Icegram | 1 Icegram | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | ||||
| CVE-2024-51602 | 2026-04-15 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in oleksandr87 Simple Job Manager simple-job-manager allows SQL Injection.This issue affects Simple Job Manager: from n/a through <= 1.1. | ||||
| CVE-2024-51611 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miguel Peixe WP Feature Box wp-feature-box allows Stored XSS.This issue affects WP Feature Box: from n/a through <= 0.1.3. | ||||
| CVE-2024-13399 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Gosign – Posts Slider Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posts-slider-block' block in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-36108 | 2026-04-15 | 9.8 Critical | ||
| casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51619 | 2026-04-15 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in market360 Market 360 Viewer market-360-viewer allows Blind SQL Injection.This issue affects Market 360 Viewer: from n/a through <= 1.01. | ||||
| CVE-2024-13405 | 2 Apptivo, Wordpress | 2 Apptivo Business Site Crm, Wordpress | 2026-04-15 | 4.3 Medium |
| The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation on the 'awp_ip_deny' page. This makes it possible for unauthenticated attackers to block IP addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-51622 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN WP EASY RECIPE wp-easy-recipe allows Stored XSS.This issue affects WP EASY RECIPE: from n/a through <= 1.6. | ||||
| CVE-2024-51623 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mehral WP EIS wp-eis allows SQL Injection.This issue affects WP EIS: from n/a through <= 1.3.3. | ||||
| CVE-2024-51624 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jajapagamentos Já-Já Pagamentos for WooCommerce wc-ja-ja-pagamentos-multicaixa-express allows Reflected XSS.This issue affects Já-Já Pagamentos for WooCommerce: from n/a through <= 1.3.0. | ||||
| CVE-2024-36109 | 2026-04-15 | 7.6 High | ||
| CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows `<script>` tags to be included which execute when published. This issue has been addressed in commit `419862a9c9879c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-5163 | 1 Tecno | 1 Com.transsion.carlcare | 2026-04-15 | 9.8 Critical |
| Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks. | ||||
| CVE-2024-39630 | 2 Motopress, Wordpress | 2 Timetable And Event Schedule, Wordpress | 2026-04-15 | 5.5 Medium |
| Deserialization of Untrusted Data vulnerability in MotoPress Timetable and Event Schedule allows Object Injection.This issue affects Timetable and Event Schedule: from n/a through 2.4.13. | ||||
| CVE-2024-51637 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in sroyalty Admin SMS Alert admin-sms-alert allows Stored XSS.This issue affects Admin SMS Alert: from n/a through <= 1.1.0. | ||||
| CVE-2024-51645 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in themefusecom ThemeFuse Maintenance Mode themefuse-maintenance-mode allows Stored XSS.This issue affects ThemeFuse Maintenance Mode: from n/a through <= 1.1.3. | ||||
| CVE-2024-51652 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in marckocher Skip To skip-to allows Stored XSS.This issue affects Skip To: from n/a through <= 2.0.0. | ||||
| CVE-2024-13410 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||