Total
435 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13794 | 1 Wpplugins | 1 Hide My Wp Ghost | 2026-04-08 | 5.3 Medium |
| The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location. | ||||
| CVE-2023-0085 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2026-04-08 | 5.3 Medium |
| The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side checking on the captcha value submitted during a form submission. This makes it possible for unauthenticated attackers to bypass Captcha restrictions and for attackers to utilize bots to submit forms. | ||||
| CVE-2024-0682 | 1 Theandystratton | 2 Page Restrict, Pagerestrict | 2026-04-08 | 5.3 Medium |
| The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts. | ||||
| CVE-2024-11197 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.2 Medium |
| The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked. | ||||
| CVE-2024-0680 | 1 Wpexpertdeveloper | 1 Wp Private Content Plus | 2026-04-08 | 5.3 Medium |
| The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts. | ||||
| CVE-2022-4100 | 2 Gioni, Wpcerber | 2 Wp Cerber Security, Cerber Security Antispam \& Malware Scan | 2026-04-08 | 5.3 Medium |
| The WP Cerber Security plugin for WordPress is vulnerable to IP Protection bypass in versions up to, and including 9.4 due to the plugin improperly checking for a visitor's IP address. This makes it possible for an attacker whose IP address has been blocked to bypass this control by setting the X-Forwarded-For: HTTP header to an IP Address that hasn't been blocked. | ||||
| CVE-2026-34938 | 1 Mervinpraison | 1 Praisonai | 2026-04-07 | 10 Critical |
| PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90. | ||||
| CVE-2026-34208 | 1 Nyariv | 1 Sandboxjs | 2026-04-07 | 10 Critical |
| SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. | ||||
| CVE-2026-35408 | 1 Directus | 1 Directus | 2026-04-07 | 8.7 High |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0. | ||||
| CVE-2026-34072 | 1 Fccview | 1 Cronmaster | 2026-04-03 | 8.3 High |
| Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-5276 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-02 | 6.5 Medium |
| Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-20667 | 1 Apple | 5 Ios And Ipados, Ipados, Iphone Os and 2 more | 2026-04-02 | 8.8 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, watchOS 26.3. An app may be able to break out of its sandbox. | ||||
| CVE-2025-46290 | 1 Apple | 1 Macos | 2026-04-02 | 7.5 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. A remote attacker may be able to cause a denial-of-service. | ||||
| CVE-2025-43413 | 1 Apple | 11 Ios, Ipad Os, Ipados and 8 more | 2026-04-02 | 7.5 High |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A sandboxed app may be able to observe system-wide network connections. | ||||
| CVE-2025-43330 | 1 Apple | 3 Macos, Macos Sequoia, Macos Tahoe | 2026-04-02 | 8.2 High |
| This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to break out of its sandbox. | ||||
| CVE-2025-43273 | 1 Apple | 2 Macos, Macos Sequoia | 2026-04-02 | 9.1 Critical |
| A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.8. A sandboxed process may be able to circumvent sandbox restrictions. | ||||
| CVE-2025-31224 | 1 Apple | 1 Macos | 2026-04-02 | 7.8 High |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. An app may be able to bypass certain Privacy preferences. | ||||
| CVE-2025-31189 | 1 Apple | 1 Macos | 2026-04-02 | 8.2 High |
| A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to break out of its sandbox. | ||||
| CVE-2024-44122 | 1 Apple | 1 Macos | 2026-04-02 | 8.8 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An application may be able to break out of its sandbox. | ||||
| CVE-2024-23284 | 5 Apple, Fedoraproject, Redhat and 2 more | 12 Ipados, Iphone Os, Macos and 9 more | 2026-04-02 | 6.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in Safari 17.4, iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, watchOS 10.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. | ||||