Export limit exceeded: 347147 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (347147 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41130 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Premmerce Premmerce User Roles premmerce-user-roles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premmerce User Roles: from n/a through <= 1.0.12. | ||||
| CVE-2023-40678 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Andrew Fiebert Simple URLs simple-urls allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple URLs: from n/a through <= 117. | ||||
| CVE-2023-40334 | 1 Pluginus | 1 Husky - Products Filter Professional For Woocommerce | 2026-04-23 | 8.8 High |
| Missing Authorization vulnerability in RealMag777 HUSKY woocommerce-products-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through <= 1.3.4.2. | ||||
| CVE-2023-40005 | 1 Awesomemotive | 1 Easy Digital Downloads | 2026-04-23 | 9.8 Critical |
| Missing Authorization vulnerability in Syed Balkhi Easy Digital Downloads easy-digital-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through <= 3.1.5. | ||||
| CVE-2023-40003 | 1 Wedevs | 1 Wp Project Manager | 2026-04-23 | 9.8 Critical |
| Missing Authorization vulnerability in weDevs WP Project Manager wedevs-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through <= 2.6.7. | ||||
| CVE-2023-39920 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Themeisle Redirection for Contact Form 7 wpcf7-redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirection for Contact Form 7: from n/a through <= 2.9.2. | ||||
| CVE-2023-39305 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Dash Labs Yet Another Stars Rating yet-another-stars-rating allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yet Another Stars Rating: from n/a through <= 3.4.3. | ||||
| CVE-2023-38512 | 1 Wpstream | 1 Wpstream | 2026-04-23 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in wpstream WpStream wpstream allows Cross Site Request Forgery.This issue affects WpStream: from n/a through <= 4.5.4. | ||||
| CVE-2023-35037 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Surfer Surfer surferseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through <= 1.3.2.357. | ||||
| CVE-2023-33994 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slimstat Analytics: from n/a through <= 5.0.5.1. | ||||
| CVE-2023-33215 | 2 Taggbox, Wordpress | 2 Taggbox, Wordpress | 2026-04-23 | N/A |
| Missing Authorization vulnerability in Taggbox Taggbox taggbox-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taggbox: from n/a through <= 3.3. | ||||
| CVE-2023-32299 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Sales Report ni-woocommerce-sales-report allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ni WooCommerce Sales Report: from n/a through <= 3.7.3. | ||||
| CVE-2022-47168 | 2026-04-23 | N/A | ||
| Missing Authorization vulnerability in printful Printful Integration for WooCommerce printful-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printful Integration for WooCommerce: from n/a through <= 2.2.3. | ||||
| CVE-2021-41715 | 1 Libsixel | 1 Libsixel | 2026-04-23 | 8.8 High |
| libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. | ||||
| CVE-2025-61146 | 1 Saitoha | 1 Libsixel | 2026-04-23 | 4 Medium |
| saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c. | ||||
| CVE-2026-30459 | 2 Daylightstudio, Thedaylightstudio | 2 Fuel Cms, Fuel Cms | 2026-04-23 | 7.1 High |
| An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | ||||
| CVE-2026-35464 | 1 Pyload | 1 Pyload | 2026-04-23 | 7.5 High |
| pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1. | ||||
| CVE-2026-34082 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-04-23 | 4.3 Medium |
| Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue. | ||||
| CVE-2026-33149 | 2 Tandoor, Tandoorrecipes | 2 Recipes, Recipes | 2026-04-23 | 8.1 High |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available. | ||||
| CVE-2026-34308 | 1 Oracle | 1 Mysql Server | 2026-04-23 | 6.5 Medium |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | ||||