Export limit exceeded: 349361 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349361 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2290 | 2 Wordpress, Wpadvancedads | 2 Wordpress, Advanced Ads - Ad Manager \& Adsense | 2026-04-15 | 7.2 High |
| The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placement_slug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-2292 | 2026-04-15 | N/A | ||
| Due to a lack of access control, unauthorized users are able to view and modify information pertaining to other users. | ||||
| CVE-2024-2295 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Contact Form Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [xyz-cfm-form] shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2306 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Revslider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg upload in all versions up to, and including, 6.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure revslider can be extended to authors. | ||||
| CVE-2024-23078 | 2026-04-15 | 9.1 Critical | ||
| JGraphT Core v1.5.2 was discovered to contain a NullPointerException via the component org.jgrapht.alg.util.ToleranceDoubleComparator::compare(Double, Double). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. | ||||
| CVE-2024-23080 | 2026-04-15 | 9.1 Critical | ||
| Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. | ||||
| CVE-2024-2327 | 2026-04-15 | 6.4 Medium | ||
| The Global Elementor Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link URL in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2347 | 2 Brainstormforce, Wordpress | 2 Astra, Wordpress | 2026-04-15 | 6.4 Medium |
| The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-32655 | 1 Npgsql | 1 Npgsql | 2026-04-15 | 8.1 High |
| Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. This vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and 8.0.3. | ||||
| CVE-2024-2349 | 2026-04-15 | 6.4 Medium | ||
| The Fancy Elementor Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Fancy Elementor Flipbox widget in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-34572 may be a duplicate of this issue. | ||||
| CVE-2024-32672 | 1 Samsung Open Source | 1 Escargot | 2026-04-15 | 5.3 Medium |
| A Segmentation Fault issue discovered in Samsung Open Source Escargot JavaScript engine allows remote attackers to cause a denial of service via crafted input. This issue affects Escargot: 4.0.0. | ||||
| CVE-2024-23492 | 2026-04-15 | 5.7 Medium | ||
| A weak encoding is used to transmit credentials for WS203VICM. | ||||
| CVE-2024-32673 | 2026-04-15 | 5.5 Medium | ||
| Improper Validation of Array Index vulnerability in Samsung Open Source Walrus Webassembly runtime engine allows a segmentation fault issue. This issue affects Walrus: before 72c7230f32a0b791355bbdfc78669701024b0956. | ||||
| CVE-2024-3269 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-04-15 | 5.4 Medium |
| The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the plugin and delete its data. | ||||
| CVE-2024-2355 | 1 Keerti1924 | 1 Secret-coder-php-project | 2026-04-15 | 3.7 Low |
| A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /secret_coder.sql. The manipulation leads to inclusion of sensitive information in source code. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256315. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2357 | 1 Redhat | 4 Enterprise Linux, Openshift, Rhel E4s and 1 more | 2026-04-15 | 6.5 Medium |
| The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service. | ||||
| CVE-2024-23593 | 2026-04-15 | 6.7 Medium | ||
| A vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could allow a privileged attacker with local access to modify the boot manager and escalate privileges. | ||||
| CVE-2024-23599 | 2026-04-15 | 7.9 High | ||
| Race condition in Seamless Firmware Updates for some Intel(R) reference platforms may allow a privileged user to potentially enable denial of service via local access. | ||||
| CVE-2024-23600 | 2026-04-15 | 2.7 Low | ||
| Improper Input Validation of query search results for private field data in PingIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure. | ||||
| CVE-2024-23674 | 1 Ausweisapp | 1 Online-ausweis-funktion | 2026-04-15 | 9.6 Critical |
| The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is "ensuring a secure operational environment at the client side is an obligation of the ID card owner." | ||||