Export limit exceeded: 344866 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344866 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6588 | 2026-04-15 | 6.4 Medium | ||
| The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘media_url’ parameter in all versions up to, and including, 11.9.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-23049 | 2026-04-15 | N/A | ||
| Meridian Technique Materialise OrthoView through 7.5.1 allows OS Command Injection when servlet sharing is enabled. | ||||
| CVE-2025-29594 | 2026-04-15 | 6.1 Medium | ||
| A vulnerability exists in the errorpage.php file of the CS2-WeaponPaints-Website v2.1.7 where user-controlled input is not adequately validated before being processed. Specifically, the $_GET['errorcode'] parameter can be manipulated to access unauthorized error codes, leading to Cross-Site Scripting (XSS) attacks and information disclosure. | ||||
| CVE-2025-32525 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MapGeo Interactive Geo Maps interactive-geo-maps allows Reflected XSS.This issue affects Interactive Geo Maps: from n/a through <= 1.6.24. | ||||
| CVE-2025-2305 | 2026-04-15 | 8.6 High | ||
| A Path traversal vulnerability in the file download functionality was identified. This vulnerability allows unauthenticated users to download arbitrary files, in the context of the application server, from the Linux server. | ||||
| CVE-2025-2961 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in opensolon up to 3.1.0. This vulnerability affects the function render_mav of the file /aa of the component org.noear.solon.core.handle.RenderManager. The manipulation of the argument template with the input ../org/example/HelloApp.class leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-6591 | 1 Nitesh Singh | 1 Ultimate Wordpress Auction Plugin | 2026-04-15 | 5.8 Medium |
| The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address. | ||||
| CVE-2025-32527 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pey22 T&P Gallery Slider tp-gallery-slider allows Stored XSS.This issue affects T&P Gallery Slider: from n/a through <= 1.2. | ||||
| CVE-2024-6625 | 2026-04-15 | 5.5 Medium | ||
| The WP Total Branding – Complete branding solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-23050 | 1 Qt | 1 Qt | 2026-04-15 | 3.1 Low |
| QLowEnergyController in Qt before 6.8.2 mishandles malformed Bluetooth ATT commands, leading to an out-of-bounds read (or division by zero). This is fixed in 5.15.19, 6.5.9, and 6.8.2. | ||||
| CVE-2025-32528 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds ical-feeds allows Reflected XSS.This issue affects iCal Feeds: from n/a through <= 1.5.3. | ||||
| CVE-2026-25319 | 2 Wordpress, Wpzita | 2 Wordpress, Zita Elementor Site Library | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6. | ||||
| CVE-2025-32529 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iONE360 iONE360 configurator ione360-configurator allows Reflected XSS.This issue affects iONE360 configurator: from n/a through <= 2.0.57. | ||||
| CVE-2024-7501 | 2026-04-15 | 4.2 Medium | ||
| The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files. | ||||
| CVE-2025-23051 | 2026-04-15 | 7.2 High | ||
| An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files. | ||||
| CVE-2025-23052 | 2026-04-15 | 7.2 High | ||
| Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system. | ||||
| CVE-2025-32530 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Wallet System for WooCommerce wallet-system-for-woocommerce allows Reflected XSS.This issue affects Wallet System for WooCommerce: from n/a through <= 2.6.8. | ||||
| CVE-2024-7827 | 1 Wpeasycart | 1 Shopping Cart \& Ecommerce Store | 2026-04-15 | 8.8 High |
| The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to boolean-based SQL Injection via the ‘model_number’ parameter in all versions up to, and including, 5.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-2306 | 2026-04-15 | 5.9 Medium | ||
| An Improper Access Control vulnerability was identified in the file download functionality. This vulnerability allows users to download sensitive documents without authentication, if the URL is known. The attack requires the attacker to know the documents UUIDv4. | ||||
| CVE-2025-32535 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digireturn DN Shipping by Weight for WooCommerce dn-shipping-by-weight allows Reflected XSS.This issue affects DN Shipping by Weight for WooCommerce: from n/a through <= 1.2. | ||||