Export limit exceeded: 344803 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344803 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-25142 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Jake Group WP Less Compiler wp-less-compiler allows Stored XSS.This issue affects WP Less Compiler: from n/a through <= 1.3.0. | ||||
| CVE-2025-25143 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ibasit GlobalQuran globalquran allows Cross Site Request Forgery.This issue affects GlobalQuran: from n/a through <= 1.0. | ||||
| CVE-2024-13380 | 2026-04-15 | 6.4 Medium | ||
| The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rr_form' shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12463 | 1 Guetebruck | 1 G-cam | 2026-04-15 | 9.8 Critical |
| An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19. | ||||
| CVE-2025-25146 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals songkick-concerts-and-festivals allows Cross Site Request Forgery.This issue affects Songkick Concerts and Festivals: from n/a through <= 0.9.7. | ||||
| CVE-2025-25148 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ElbowRobo Read More Copy Link read-more-copy-link allows Stored XSS.This issue affects Read More Copy Link: from n/a through <= 1.0.2. | ||||
| CVE-2025-25149 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Danillo Nunes Login-box login-box allows Stored XSS.This issue affects Login-box: from n/a through <= 2.0.4. | ||||
| CVE-2024-52600 | 1 Statamic | 1 Statamic | 2026-04-15 | 5.3 Medium |
| Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0. | ||||
| CVE-2025-25153 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag simple-auto-tag allows Stored XSS.This issue affects Simple Auto Tag: from n/a through <= 1.1. | ||||
| CVE-2025-25154 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in scweber Custom Comment Notifications custom-comment-notifications allows Stored XSS.This issue affects Custom Comment Notifications: from n/a through <= 1.0.8. | ||||
| CVE-2025-25155 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in efreja Music Sheet Viewer music-sheet-viewer allows Path Traversal.This issue affects Music Sheet Viewer: from n/a through <= 4.1. | ||||
| CVE-2025-25156 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments quote-comments allows Stored XSS.This issue affects Quote Comments: from n/a through <= 3.0.0. | ||||
| CVE-2024-52615 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 5.3 Medium |
| A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | ||||
| CVE-2025-12464 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 6.2 Medium |
| A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service. | ||||
| CVE-2025-14259 | 1 Jihai | 1 Jshop Miniprogram Mall System | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2516 | 1 Kingsoft | 1 Wps Office | 2026-04-15 | N/A |
| The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked. | ||||
| CVE-2024-52616 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 5.3 Medium |
| A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | ||||
| CVE-2025-12465 | 1 Opensolution | 1 Quick.cms | 2026-04-15 | N/A |
| A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-14274 | 3 Unitecms, Unlimited-elements, Wordpress | 3 Unlimited Elements For Elementor, Unlimited Elements For Elementor, Wordpress | 2026-04-15 | 5.4 Medium |
| The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5275 | 1 Fortra | 2 Filecatalyst Direct, Filecatalyst Workflow | 2026-04-15 | 7.8 High |
| A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack against users of the agent. This issue affects all versions of FileCatalyst Direct from 3.8.10 Build 138 and earlier and all versions of FileCatalyst Workflow from 5.1.6 Build 130 and earlier. | ||||