Export limit exceeded: 345446 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345446 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345446 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345446 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64658 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-04-20 | 7.5 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-64666 | 1 Microsoft | 4 Exchange Server, Exchange Server 2016, Exchange Server 2019 and 1 more | 2026-04-20 | 7.5 High |
| Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-64673 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-04-20 | 7.8 High |
| Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-62550 | 1 Microsoft | 1 Azure Monitor Agent | 2026-04-20 | 8.8 High |
| Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-62552 | 1 Microsoft | 8 365 Apps, Access, Access 2016 and 5 more | 2026-04-20 | 7.8 High |
| Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-62555 | 1 Microsoft | 13 365 Apps, Office, Office 2019 and 10 more | 2026-04-20 | 7 High |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-62556 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-04-20 | 7.8 High |
| Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-14151 | 2 Wordpress, Wp-slimstat | 2 Wordpress, Slimstat Analytics | 2026-04-20 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-62224 | 1 Microsoft | 1 Edge | 2026-04-20 | 5.5 Medium |
| User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-67133 | 1 Heromotocorp | 2 Vida V1 Pro, Vida V1 Pro Firmware | 2026-04-20 | 7.5 High |
| An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component | ||||
| CVE-2025-13753 | 2 Wordpress, Wptb | 2 Wordpress, Wp Table Builder | 2026-04-20 | 4.3 Medium |
| The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts. | ||||
| CVE-2025-67246 | 1 Ludashi | 2 Driver, Ludashi Driver | 2026-04-20 | 7.3 High |
| A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | ||||
| CVE-2025-15527 | 1 Wordpress | 1 Wordpress | 2026-04-20 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-15347 | 2 Getwpfunnels, Wordpress | 2 Creator Lms, Wordpress | 2026-04-20 | 8.8 High |
| The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. | ||||
| CVE-2025-14283 | 2 Wordpress, Wpblockart | 2 Wordpress, Blockart Blocks | 2026-04-20 | 6.4 Medium |
| The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-41117 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-04-20 | 6.8 Medium |
| Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever. | ||||
| CVE-2026-6615 | 2 Superagi, Transformeroptimus | 2 Superagi, Superagi | 2026-04-20 | 7.3 High |
| A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6616 | 2 Superagi, Transformeroptimus | 2 Superagi, Superagi | 2026-04-20 | 6.3 Medium |
| A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract_with_bs4/extract_with_3k/extract_with_lxml of the file superagi/helper/webpage_extractor.py of the component WebScraperTool. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0974 | 2026-04-20 | 5 Medium | ||
| A vulnerability was determined in MaxD Lightning Module 4.43/4.44 on OpenCart. This issue affects some unknown processing. Executing a manipulation of the argument li_op/md can lead to deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.45 is capable of addressing this issue. Upgrading the affected component is advised. | ||||
| CVE-2025-1686 | 1 Pebbletemplates | 1 Pebble | 2026-04-20 | 6.8 Medium |
| Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build(); | ||||