Export limit exceeded: 344803 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344803 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344803 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344803 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3867 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-47597 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Maulik Vora WP Podcasts Manager wp-podcasts-manager allows Cross Site Request Forgery.This issue affects WP Podcasts Manager: from n/a through <= 1.3. | ||||
| CVE-2025-8214 | 2 Webangon, Wordpress | 2 The Pack Elementor Addons, Wordpress | 2026-04-15 | 6.4 Medium |
| The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8217 | 1 Amazon | 1 Q Developer Vs Code Extension | 2026-04-15 | 4 Medium |
| The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use. | ||||
| CVE-2024-0949 | 1 Talya Informatics | 1 Elektraweb | 2026-04-15 | 9.8 Critical |
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | ||||
| CVE-2025-25112 | 2026-04-15 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kareemsultan Social Links social-links allows Command Line Execution through SQL Injection.This issue affects Social Links: from n/a through <= 1.2. | ||||
| CVE-2025-25113 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Senktec Implied Cookie Consent implied-cookie-consent allows Reflected XSS.This issue affects Implied Cookie Consent: from n/a through <= 1.3. | ||||
| CVE-2025-3869 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-25114 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ehabstar User Role user-roles allows Reflected XSS.This issue affects User Role: from n/a through <= 1.0. | ||||
| CVE-2025-25118 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Danish Ali Malik Top Bar – PopUps – by WPOptin wpoptin allows Reflected XSS.This issue affects Top Bar – PopUps – by WPOptin: from n/a through <= 2.0.8. | ||||
| CVE-2025-25120 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Melodic Media Slide Banners slide-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slide Banners: from n/a through <= 1.3. | ||||
| CVE-2025-3870 | 2026-04-15 | 6.1 Medium | ||
| The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. This is due to missing or incorrect nonce validation on the 1-decembrie-1918/1-decembrie-1918.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-25121 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in shyammakwana Theme Options Z theme-options-z allows Cross Site Request Forgery.This issue affects Theme Options Z: from n/a through <= 1.4. | ||||
| CVE-2025-1726 | 2026-04-15 | 4.3 Medium | ||
| There is a SQL injection issue in Esri ArcGIS Monitor versions 2023.0 through 2024.x on Windows and Linux that allows a remote, authenticated attacker with low privileges to improperly read limited database schema information by passing crafted queries. While it is possible to enumerate some internal database identifiers, the impact to the confidentiality vector is "LOW' because any sensitive data returned in a response is encrypted. There is no evidence of impact to the integrity or availability vectors. This issue is addressed in ArcGIS Monitor 2024.1. | ||||
| CVE-2025-25122 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Path Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop: from n/a through <= 3.0.2. | ||||
| CVE-2025-25124 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater fb-status-updater allows Reflected XSS.This issue affects Status Updater: from n/a through <= 1.9.2. | ||||
| CVE-2025-8286 | 1 Guralp | 1 Fmus | 2026-04-15 | N/A |
| The affected products expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device. | ||||
| CVE-2025-25126 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO zmseo allows Stored XSS.This issue affects ZMSEO: from n/a through <= 1.14.1. | ||||
| CVE-2025-3871 | 2026-04-15 | 5.3 Medium | ||
| Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP. | ||||
| CVE-2025-43004 | 2026-04-15 | 5.3 Medium | ||
| Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authentication, malicious unauthenticated users can view non-sensitive customer information. However, this does not affect data integrity or availability. | ||||