Search Results (366863 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-4506 1 Mindinventory 1 Mindsql 2026-04-22 6.3 Medium
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-13785 2 Reputeinfosystems, Wordpress 2 Contact Form, Survey, Quiz & Popup Form Builder – Arforms, Wordpress 2026-04-22 5.6 Medium
The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2026-1253 2 Atomchat, Wordpress 2 Group Chat & Video Chat By Atomchat, Wordpress 2026-04-22 4.3 Medium
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations.
CVE-2026-1278 2 Ketanmujumdar, Wordpress 2 Mandatory Field, Wordpress 2026-04-22 4.4 Medium
The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-1390 2 Haghs, Wordpress 2 Redirect Countdown, Wordpress 2026-04-22 4.3 Medium
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1392 2 Superrishi, Wordpress 2 Sr Wp Minify Html, Wordpress 2026-04-22 4.3 Medium
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1393 2 Omarnas, Wordpress 2 Add Google Social Profiles To Knowledge Graph Box, Wordpress 2026-04-22 4.3 Medium
The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1647 2 Basiliskan, Wordpress 2 Comment Genius, Wordpress 2026-04-22 6.1 Medium
The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-1806 2 Tourcms, Wordpress 2 Tour & Activity Operator Plugin For Tourcms, Wordpress 2026-04-22 6.4 Medium
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1822 2 Tonysamperi, Wordpress 2 Wp Ng Weather, Wordpress 2026-04-22 6.4 Medium
The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1886 2 Hrs2015, Wordpress 2 Go Night Pro | Wordpress Dark Mode Plugin, Wordpress 2026-04-22 6.4 Medium
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-43436 1 Apple 8 Ios, Ipad Os, Ipados and 5 more 2026-04-22 7.5 High
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to enumerate a user's installed apps.
CVE-2025-43504 1 Apple 1 Xcode 2026-04-22 4.9 Medium
A buffer overflow was addressed with improved bounds checking. This issue is fixed in Xcode 26.1. A user in a privileged network position may be able to cause a denial-of-service.
CVE-2025-43441 2 Apple, Redhat 14 Ios, Ipad Os, Ipados and 11 more 2026-04-22 4.3 Medium
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43431 1 Apple 7 Ios, Ipados, Iphone Os and 4 more 2026-04-22 8.8 High
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-43450 1 Apple 3 Ios, Ipados, Iphone Os 2026-04-22 7.5 High
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to learn information about the current camera view before being granted camera access.
CVE-2025-43446 1 Apple 3 Macos, Macos Sequoia, Macos Sonoma 2026-04-22 5.5 Medium
This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to modify protected parts of the file system.
CVE-2025-43493 1 Apple 5 Ios, Ipados, Iphone Os and 2 more 2026-04-22 4.3 Medium
The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1. Visiting a malicious website may lead to address bar spoofing.
CVE-2025-43502 1 Apple 5 Ios, Ipados, Iphone Os and 2 more 2026-04-22 7.5 High
A privacy issue was addressed by removing sensitive data. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1. An app may be able to bypass certain Privacy preferences.
CVE-2025-43430 1 Apple 7 Ios, Ipados, Iphone Os and 4 more 2026-04-22 4.3 Medium
This issue was addressed through improved state management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.