Export limit exceeded: 344880 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344880 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6355 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in Genexis Tilgin Fiber Home Gateway HG1522 CSx000-01_09_01_12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /status/product_info/. The manipulation of the argument product_info leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269755. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6374 | 1 Lahirudanushka | 1 School Management System | 2026-04-15 | 3.5 Low |
| A vulnerability was found in lahirudanushka School Management System 1.0.0/1.0.1 and classified as problematic. This issue affects some unknown processing of the file /subject.php of the component Subject Page. The manipulation of the argument Subject Title/Sybillus Details leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269807. | ||||
| CVE-2024-12203 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-6409 | 1 Redhat | 4 Enterprise Linux, Openshift, Rhel E4s and 1 more | 2026-04-15 | 7 High |
| A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server. | ||||
| CVE-2024-6414 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability classified as problematic has been found in Parsec Automation TrakSYS 11.x.x. Affected is an unknown function of the file TS/export/contentpage of the component Export Page. The manipulation of the argument ID leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-270000. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6415 | 2026-04-15 | 2.4 Low | ||
| A vulnerability classified as problematic was found in Ingenico Estate Manager 2023. Affected by this vulnerability is an unknown functionality of the file /emgui/rest/preferences/PREF_HOME_PAGE/sponsor/3/ of the component New Widget Handler. The manipulation of the argument URL leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270001 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6431 | 1 Medianet | 1 Ads Manager | 2026-04-15 | 8.8 High |
| The Media.net Ads Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and missing capability check in the 'sendMail' function in all versions up to, and including, 2.10.13. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is only exploitable if anyone has ever logged in through the API. | ||||
| CVE-2024-6437 | 2026-04-15 | 5.8 Medium | ||
| On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination. | ||||
| CVE-2025-3520 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2024-6441 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely. Upgrading to version 1.80 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-270169 was assigned to this vulnerability. | ||||
| CVE-2025-3529 | 2026-04-15 | 8.2 High | ||
| The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it. | ||||
| CVE-2025-3535 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability has been found in shuanx BurpAPIFinder up to 2.0.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file BurpApiFinder.db. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-6456 | 1 Aveva | 1 Historian | 2026-04-15 | N/A |
| AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL. | ||||
| CVE-2025-3541 | 2026-04-15 | 8 High | ||
| A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this issue is the function FCGI_WizardProtoProcess of the file /api/wizard/getSpecs of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2025-3542 | 2026-04-15 | 8 High | ||
| A vulnerability, which was classified as critical, was found in H3C Magic NX15, Magic NX400 and Magic R3010 up to V100R014. This affects the function FCGI_WizardProtoProcess of the file /api/wizard/getsyncpppoecfg of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2025-3543 | 2026-04-15 | 8 High | ||
| A vulnerability has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014 and classified as critical. This vulnerability affects the function FCGI_WizardProtoProcess of the file /api/wizard/setsyncpppoecfg of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2024-6466 | 2026-04-15 | 5.3 Medium | ||
| NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified. | ||||
| CVE-2025-3573 | 2026-04-15 | 6.1 Medium | ||
| Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary. | ||||
| CVE-2024-6476 | 2026-04-15 | 4.2 Medium | ||
| Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2025-13007 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page. | ||||