Export limit exceeded: 343843 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 343843 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343843 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39389 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-08 | 6.7 Medium |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0. | ||||
| CVE-2026-39714 | 2 G5theme, Wordpress | 2 G5plus April, Wordpress | 2026-04-08 | 5.3 Medium |
| Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.8. | ||||
| CVE-2026-39709 | 2 Thetechtribe, Wordpress | 2 The Tribal, Wordpress | 2026-04-08 | N/A |
| Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4. | ||||
| CVE-2026-39693 | 2 Fesomia, Wordpress | 2 Fsm Custom Featured Image Caption, Wordpress | 2026-04-08 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1. | ||||
| CVE-2026-39686 | 2 Bannersky, Wordpress | 2 Bsk Pdf Manager, Wordpress | 2026-04-08 | N/A |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2. | ||||
| CVE-2026-39677 | 2 Creatives Planet, Wordpress | 2 Emphires, Wordpress | 2026-04-08 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9. | ||||
| CVE-2026-39682 | 2 Arjan Pronk, Wordpress | 2 Linkpizza-manager, Wordpress | 2026-04-08 | 5.3 Medium |
| Missing Authorization vulnerability in Arjan Pronk linkPizza-Manager linkpizza-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects linkPizza-Manager: from n/a through <= 5.5.5. | ||||
| CVE-2026-3396 | 2 Shamimmoeen, Wordpress | 2 Wcapf – Ajax Product Filter For Woocommerce, Wordpress | 2026-04-08 | 7.5 High |
| WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-39699 | 2 Massiveshift, Wordpress | 2 Ai Workflow Automation, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2. | ||||
| CVE-2026-39715 | 2 Anytrack, Wordpress | 2 Anytrack Affiliate Link Manager, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5. | ||||
| CVE-2026-39711 | 2 Stmcan, Wordpress | 2 Rt-theme 18 | Extensions, Wordpress | 2026-04-08 | N/A |
| Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5. | ||||
| CVE-2026-33458 | 1 Elastic | 1 Kibana | 2026-04-08 | 6.8 Medium |
| Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | ||||
| CVE-2026-34718 | 1 Zammad | 1 Zammad | 2026-04-08 | N/A |
| Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. | ||||
| CVE-2026-34719 | 1 Zammad | 1 Zammad | 2026-04-08 | N/A |
| Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4. | ||||
| CVE-2026-39393 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-08 | 8.1 High |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0. | ||||
| CVE-2026-35401 | 1 Saleor | 1 Saleor | 2026-04-08 | 7.5 High |
| Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. | ||||
| CVE-2025-50664 | 1 Dlink | 1 Di-8003 | 2026-04-08 | N/A |
| A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /user_group.asp endpoint. The attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, mem, pri, and attr. | ||||
| CVE-2026-39680 | 2 Mwp Development, Wordpress | 2 Diet Calorie Calculator, Wordpress | 2026-04-08 | 5.3 Medium |
| Missing Authorization vulnerability in MWP Development Diet Calorie Calculator diet-calorie-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Diet Calorie Calculator: from n/a through <= 1.1.1. | ||||
| CVE-2026-39688 | 2 Glowlogix, Wordpress | 2 Wp Frontend Profile, Wordpress | 2026-04-08 | 5.3 Medium |
| Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9. | ||||
| CVE-2026-39692 | 2 Tagdiv, Wordpress | 2 Tagdiv Composer, Wordpress | 2026-04-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3. | ||||