Search Results (6924 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-0871 2026-04-15 3.5 Low
A vulnerability classified as problematic has been found in Maybecms 1.2. This affects an unknown part of the file /mb/admin/index.php?u=article-edit of the component Add Article. The manipulation of the argument data_info[content] leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-0578 2026-04-15 3.5 Low
A vulnerability was found in Facile Sistemas Cloud Apps up to 20250107. It has been classified as problematic. Affected is an unknown function of the file /account/forgotpassword of the component Password Reset Handler. The manipulation of the argument reterros leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-41717 1 Phoenixcontact 8 Cloud Client 1101t-tx, Tc Cloud Client 1002-4g Att, Tc Cloud Client 1002-txtx and 5 more 2026-04-15 8.8 High
An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’).
CVE-2024-46960 1 Asdcom 1 Hd Video Downloader 2026-04-15 8.8 High
The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component.
CVE-2025-2191 2026-04-15 2.4 Low
A vulnerability, which was classified as problematic, has been found in Claro A7600-A1 RNR4-A72T-2x16_v2110403_CLA_32_160817. Affected by this issue is some unknown functionality of the file /form2pingv6.cgi of the component Ping6 Diagnóstico. The manipulation of the argument ip6addr with the input <img/src/onerror=prompt(8)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-14538 1 Yangshare 1 Warehousemanager 2026-04-15 3.5 Low
A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0. This affects the function addCustomer of the file CustomerManageHandler.java. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-2313 2026-04-15 N/A
In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter.
CVE-2025-3114 2026-04-15 N/A
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
CVE-2025-52385 2026-04-15 9.8 Critical
An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module
CVE-2025-61488 1 Slims 1 Senayan Library Management System 2026-04-15 7.6 High
An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter
CVE-2025-53419 2026-04-15 7.8 High
Delta Electronics COMMGR has Code Injection vulnerability.
CVE-2025-10710 1 07fly 3 07fly-cms, 07flycms, 07flycrm 2026-04-15 4.3 Medium
A flaw has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This affects an unknown part of the file /index.php. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-10711 1 07fly 3 07fly-cms, 07flycms, 07flycrm 2026-04-15 4.3 Medium
A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5007 2026-04-15 3.5 Low
A vulnerability was found in Part-DB up to 1.17.0. It has been declared as problematic. Affected by this vulnerability is the function handleUpload of the file src/Services/Attachments/AttachmentSubmitHandler.php of the component Profile Picture Feature. The manipulation of the argument attachment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.17.1 is able to address this issue. The identifier of the patch is 2c4f44e808500db19c391159b30cb6142896d415. It is recommended to upgrade the affected component.
CVE-2025-25246 1 Netgear 2 Xr1000, Xr500 2026-04-15 8.1 High
NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.
CVE-2024-46639 1 Evolutionscript 1 Helpdeskz 2026-04-15 7.6 High
A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box.
CVE-2024-4662 2 Soflyy, Wordpress 2 Oxygen, Wordpress 2026-04-15 8.8 High
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
CVE-2024-6726 2026-04-15 8.8 High
Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE).
CVE-2024-53554 1 Taigaio 1 Taiga Front 2026-04-15 8 High
A Client-Side Template Injection (CSTI) vulnerability in the component /project/new/scrum of Taiga v 8.6.1 allows remote attackers to execute arbitrary code by injecting a malicious payload within the new project details.
CVE-2025-41010 1 Hiberus 1 Sintra 2026-04-15 N/A
Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.