Export limit exceeded: 348903 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348903 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-32803 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 4 Medium |
| In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | ||||
| CVE-2025-13531 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-27829 | 2026-04-15 | 7.3 High | ||
| An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing service on the firewall. | ||||
| CVE-2025-29070 | 2026-04-15 | 7.5 High | ||
| A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation." | ||||
| CVE-2024-42671 | 2026-04-15 | 6.1 Medium | ||
| A Host Header Poisoning Open Redirect issue in slabiak Appointment Scheduler v.1.0.5 allows a remote attacker to redirect users to a malicious website, leading to potential credential theft, malware distribution, or other malicious activities. | ||||
| CVE-2025-13729 | 2 Greenshady, Wordpress | 2 Entry Views, Wordpress | 2026-04-15 | 6.4 Medium |
| The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-64353 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Chouby Polylang polylang allows Object Injection.This issue affects Polylang: from n/a through <= 3.7.3. | ||||
| CVE-2025-64361 | 2 Stylemixthemes, Wordpress | 2 Consulting Elementor Widgets, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows DOM-Based XSS.This issue affects Consulting Elementor Widgets: from n/a through <= 1.4.2. | ||||
| CVE-2024-10910 | 2026-04-15 | 7.3 High | ||
| The The Grid Plus – Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2025-3784 | 1 Mitsubishielectric | 1 Gx Works2 | 2026-04-15 | 5.5 Medium |
| Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. | ||||
| CVE-2025-66119 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9. | ||||
| CVE-2025-14053 | 2 Jseto, Wordpress | 2 Travel Bucket List Wish To Go, Wordpress | 2026-04-15 | 6.4 Medium |
| The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3043 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in GuoMinJim PersonManage 1.0. This issue affects the function preHandle of the file /login/. The manipulation of the argument Request leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2024-37516 | 2026-04-15 | 6.3 Medium | ||
| Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2. | ||||
| CVE-2025-67573 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6. | ||||
| CVE-2025-1883 | 2026-04-15 | 7.8 High | ||
| Out-Of-Bounds Write vulnerability exists in the OBJ file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted OBJÂ file. | ||||
| CVE-2024-10590 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Due to the presence of an .htaccess file, this can only be exploited to achieve RCE on NGINX servers, unless another vulnerability is present. | ||||
| CVE-2025-12412 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0128 | 1 Paloaltonetworks | 1 Pan-os | 2026-04-15 | N/A |
| A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue. | ||||
| CVE-2024-51987 | 2026-04-15 | 5.4 Medium | ||
| Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||