Export limit exceeded: 344777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344777 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2944 | 2 Jegtheme, Wordpress | 2 Jeg Elementor Kit, Wordpress | 2026-04-15 | 6.4 Medium |
| The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Button and Countdown Widgets in all versions up to, and including, 2.6.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5584 | 2026-04-15 | 6.4 Medium | ||
| The WordPress Online Booking and Scheduling Plugin – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Color Profile parameter in all versions up to, and including, 23.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the staff member role and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-23016 | 1 Fastcgi | 1 Fcgi | 2026-04-15 | 9.3 Critical |
| FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c. | ||||
| CVE-2025-29476 | 2026-04-15 | 5.5 Medium | ||
| Buffer Overflow vulnerability in compress_chunk_fuzzer with oss-fuzz on commit 16450518afddcb3139de627157208e49bfef6987 in c-blosc2 v.2.17.0 and before. | ||||
| CVE-2025-32494 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in bozdoz reCAPTCHA Jetpack recaptcha-jetpack allows Cross Site Request Forgery.This issue affects reCAPTCHA Jetpack: from n/a through <= 0.2.2. | ||||
| CVE-2024-5662 | 2026-04-15 | 6.4 Medium | ||
| The Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count (Static) widget in all versions up to, and including, 3.11.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-23017 | 2026-04-15 | 6 Medium | ||
| WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred. | ||||
| CVE-2025-29509 | 2026-04-15 | 8.8 High | ||
| Jan v0.5.14 and before is vulnerable to remote code execution (RCE) when the user clicks on a rendered link in the conversation, due to opening external website in the app and the exposure of electronAPI, with a lack of filtering of URL when calling shell.openExternal(). | ||||
| CVE-2025-32495 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Waymark waymark allows Stored XSS.This issue affects Waymark: from n/a through <= 1.5.3. | ||||
| CVE-2025-2302 | 2026-04-15 | 6.4 Medium | ||
| The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aws_search_terms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-29525 | 1 Dasan | 1 H660wm | 2026-04-15 | 5.3 Medium |
| DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel. | ||||
| CVE-2025-32511 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Excellent Dynamics Make Email Customizer for WooCommerce make-email-customizer-for-woocommerce allows Reflected XSS.This issue affects Make Email Customizer for WooCommerce: from n/a through <= 1.0.6. | ||||
| CVE-2024-5793 | 1 Favethemes | 1 Houzez | 2026-04-15 | 8.8 High |
| The Houzez Theme - Functionality plugin for WordPress is vulnerable to SQL Injection via the ‘currency_code’ parameter in all versions up to, and including, 3.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-23020 | 1 Ptrd | 1 Kwik | 2026-04-15 | 5.3 Medium |
| An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). | ||||
| CVE-2025-29529 | 2026-04-15 | 6.5 Medium | ||
| ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx. | ||||
| CVE-2025-32514 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote wc-estimate-and-quote allows Reflected XSS.This issue affects WooCommerce Estimate and Quote: from n/a through <= 1.0.2.5. | ||||
| CVE-2025-23026 | 2026-04-15 | 6.1 Medium | ||
| jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable. Users are advised to upgrade to version 3.1.16 or later to resolve this issue. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-32515 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in terminalafrica Terminal Africa terminal-africa allows Reflected XSS.This issue affects Terminal Africa: from n/a through <= 1.13.24. | ||||
| CVE-2025-23027 | 2026-04-15 | N/A | ||
| next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems. | ||||
| CVE-2025-29556 | 1 Exagrid | 1 Ex10 | 2026-04-15 | 7.3 High |
| ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval. However, a flaw in the account creation process allows an attacker to bypass these restrictions via API request manipulation. An attacker with an Admin access can intercept and modify the API request during user creation, altering the parameters to assign the new account to the ExaGrid Security Officers group without the required approval. | ||||