Export limit exceeded: 346164 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 346164 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 76238 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (76238 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4435 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2026-04-22 | 7.5 High |
| When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped. | ||||
| CVE-2025-12028 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 8.8 High |
| The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete). | ||||
| CVE-2025-12095 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 8.8 High |
| The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This makes it possible for unauthenticated attackers to approve pending role requests and escalate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-11995 | 2 Jackdewey, Wordpress | 2 Community Events, Wordpress | 2026-04-22 | 7.2 High |
| The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11924 | 2 Ninjaforms, Wordpress | 2 Ninja Forms, Wordpress | 2026-04-22 | 7.5 High |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective. | ||||
| CVE-2025-69662 | 1 Geopandas | 1 Geopandas | 2026-04-22 | 8.6 High |
| SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. | ||||
| CVE-2025-12062 | 2 Flippercode, Wordpress | 2 Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters, Wordpress | 2026-04-22 | 8.8 High |
| The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included. | ||||
| CVE-2025-11754 | 2 Wordpress, Wplegalpages | 2 Wordpress, Cookie Banner For Gdpr / Ccpa – Wplp Cookie Consent | 2026-04-22 | 7.5 High |
| The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys. | ||||
| CVE-2017-11292 | 6 Adobe, Apple, Google and 3 more | 12 Flash Player, Flash Player Desktop Runtime, Mac Os X and 9 more | 2026-04-22 | 8.8 High |
| Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2013-2729 | 3 Adobe, Redhat, Suse | 9 Acrobat, Acrobat Reader, Enterprise Linux Desktop and 6 more | 2026-04-22 | 8.8 High |
| Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727. | ||||
| CVE-2025-1634 | 1 Redhat | 3 Amq Streams, Camel Quarkus, Quarkus | 2026-04-22 | 7.5 High |
| A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError. | ||||
| CVE-2025-32914 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2026-04-22 | 7.4 High |
| A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds. | ||||
| CVE-2025-12139 | 2 Princeahmed, Wordpress | 2 File Manager For Google Drive, Wordpress | 2026-04-22 | 7.5 High |
| The File Manager for Google Drive – Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the "get_localize_data" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses. | ||||
| CVE-2025-12497 | 2 Averta, Wordpress | 3 Phlox, Premium Portfolio Features For Phlox Theme, Wordpress | 2026-04-22 | 8.1 High |
| The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | ||||
| CVE-2025-12153 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 8.8 High |
| The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-11419 | 1 Redhat | 1 Build Keycloak | 2026-04-22 | 7.5 High |
| A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | ||||
| CVE-2025-12166 | 2 Croixhaug, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-04-22 | 7.5 High |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-48613 | 1 Google | 1 Android | 2026-04-22 | 7.8 High |
| In VBMeta, there is a possible way to modify and resign VBMeta using a test key, assuming the original image was previously signed with the same key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-3517 | 1 Progress | 4 Ecs Connection Manager, Loadmaster, Moveit Waf and 1 more | 2026-04-22 | 8.4 High |
| OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command | ||||
| CVE-2026-3518 | 1 Progress | 4 Ecs Connection Manager, Loadmaster, Moveit Waf and 1 more | 2026-04-22 | 8.4 High |
| OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command | ||||