| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability is fixed in 1.2.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Quý Lê 91 Administrator Z administrator-z allows DOM-Based XSS.This issue affects Administrator Z: from n/a through <= 2026.03.02. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through <= 1.3.1. |
| In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
v4l2_subdev_call_state_try() macro allocates a subdev state with
__v4l2_subdev_state_alloc(), but does not check the returned value. If
__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would
cause v4l2_subdev_call_state_try() to crash.
Add proper error handling to v4l2_subdev_call_state_try(). |
| Missing Authorization vulnerability in Dotstore Hide Shipping Method For WooCommerce hide-shipping-method-for-woocommerce.This issue affects Hide Shipping Method For WooCommerce: from n/a through <= 1.5.1. |
| base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Stored XSS.This issue affects Advanced Woo Labels: from n/a through <= 2.15. |
| Authorization Bypass Through User-Controlled Key vulnerability in NirWp Team Nirweb support nirweb-support.This issue affects Nirweb support: from n/a through <= 3.0.3. |
| libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smartwpress Musician's Pack For Elementor music-pack-for-elementor allows DOM-Based XSS.This issue affects Musician's Pack For Elementor: from n/a through <= 1.8.7. |
| The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import redirects, including comments containing cross-site scripting as detailed in CVE-2023-1602, granted they can trick a site administrator into performing an action such as clicking on a link. |
| Missing Authorization vulnerability in WPDeveloper Document Block – Upload & Embed Docs document.This issue affects Document Block – Upload & Embed Docs: from n/a through <= 1.1.0. |
| There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none, and the impact
to system integrity is none. |
| Missing Authorization vulnerability in Ability, Inc Accessibility Suite online-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Suite: from n/a through <= 4.18. |
| Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler Code traveler-code.This issue affects Traveler Code: from n/a through < 3.1.2. |
| Improper neutralization for some Intel(R) Neural Compressor software before version v3.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon News Element Elementor Blog Magazine news-element allows DOM-Based XSS.This issue affects News Element Elementor Blog Magazine: from n/a through <= 1.0.9. |
| The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific filenames on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in everestthemes Grace Mag grace-mag allows PHP Local File Inclusion.This issue affects Grace Mag: from n/a through <= 1.1.5. |
