Search Results (6953 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36679 1 Prestashop 1 Livechatpro 2026-04-15 10 Critical
In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a white writer that can inject PHP code into a PHP file.
CVE-2024-46963 1 Google 1 Android 2026-04-15 8.1 High
The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the com.bluesky.browser.ui.BrowserMainActivity component.
CVE-2024-46962 1 Google 1 Android 2026-04-15 9.1 Critical
The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.video.fast.SpeedMainAct component.
CVE-2025-9999 1 Arcinfo 1 Pcvue 2026-04-15 N/A
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.
CVE-2024-28397 1 Js2py 1 Js2py Disable Pyimport 2026-04-15 5.3 Medium
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
CVE-2020-37052 1 Ubiquiti 1 Aircontrol 2026-04-15 9.8 Critical
AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges.
CVE-2020-37186 1 Chevereto 1 Chevereto 2026-04-15 9.8 Critical
Chevereto 3.13.4 Core contains a remote code execution vulnerability that allows attackers to inject malicious code during database configuration installation. Attackers can manipulate the database table prefix parameter to write a PHP shell file and execute arbitrary system commands through a crafted POST request.
CVE-2024-46960 1 Asdcom 1 Hd Video Downloader 2026-04-15 8.8 High
The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component.
CVE-2025-1337 2026-04-15 3.5 Low
A vulnerability was found in Eastnets PaymentSafe 2.5.26.0. It has been classified as problematic. This affects an unknown part of the component BIC Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.5.27.0 is able to address this issue.
CVE-2024-4662 2 Soflyy, Wordpress 2 Oxygen, Wordpress 2026-04-15 8.8 High
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
CVE-2025-1360 2026-04-15 3.5 Low
A vulnerability, which was classified as problematic, was found in Internet Web Solutions Sublime CRM up to 20250207. Affected is an unknown function of the file /crm/inicio.php of the component HTTP POST Request Handler. The manipulation of the argument msg_to leads to cross site scripting. It is possible to launch the attack remotely. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-8760 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.
CVE-2025-1810 2026-04-15 4.3 Medium
A vulnerability was found in Pixsoft Vivaz 6.0.11. It has been classified as problematic. Affected is an unknown function of the file /servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231 of the component Login Endpoint. The manipulation of the argument sistema leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11548 1 Ibi 1 Webfocus Business Intelligence 2026-04-15 N/A
A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution
CVE-2024-13929 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2026-04-15 7.2 High
Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVE-2024-13815 2 Themographics, Wordpress 2 Listingo, Wordpress 2026-04-15 6.5 Medium
The The Listingo theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-13812 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-11012 2026-04-15 6.3 Medium
The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
CVE-2024-10681 2026-04-15 6.3 Medium
The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.
CVE-2024-45186 1 Filesender 1 Filesender 2026-04-15 9.8 Critical
FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.