Export limit exceeded: 345222 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345222 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7426 | 1 Minova | 1 Tta | 2026-04-15 | N/A |
| Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse. Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs | ||||
| CVE-2025-7432 | 1 Silabs | 1 Simplicity Sdk | 2026-04-15 | N/A |
| DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack. | ||||
| CVE-2025-7433 | 2026-04-15 | 8.8 High | ||
| A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution. | ||||
| CVE-2025-13667 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7623 | 1 Supermicro | 1 Mbd-x13sedw-f | 2026-04-15 | 5.4 Medium |
| Stack-based buffer overflow in the SMASH-CLP shell. An authenticated attacker with SSH access to the BMC can exploit a stack buffer overflow via a crafted SMASH command, overwrite the return address and registers, and achieve arbitrary code execution on the BMC firmware operating system | ||||
| CVE-2025-7451 | 1 Hgiga | 1 Isherlock | 2026-04-15 | 9.8 Critical |
| The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This vulnerability has already been exploited. Please update immediately. | ||||
| CVE-2025-26936 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Fresh Framework fresh-framework allows Code Injection.This issue affects Fresh Framework: from n/a through <= 1.70.0. | ||||
| CVE-2025-55758 | 2 Jdownloads, Joomla | 3 Jdownloads, Joomla, Joomla! | 2026-04-15 | 5.4 Medium |
| Multiple CSRF attack vectors in JDownloads component 1.0.0-4.0.47 for Joomla were discovered. | ||||
| CVE-2025-7507 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain. | ||||
| CVE-2025-11835 | 2 Cozmoslabs, Wordpress | 2 Paid Membership Subscriptions, Wordpress | 2026-04-15 | 5.3 Medium |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members. | ||||
| CVE-2025-7526 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2026-04-15 | 9.8 Critical |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-27277 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery add-linked-images-to-gallery-v01 allows Cross Site Request Forgery.This issue affects Add Linked Images To Gallery: from n/a through <= 1.4. | ||||
| CVE-2025-11759 | 2 Watchful, Wordpress | 2 Xcloner, Wordpress | 2026-04-15 | 4.3 Medium |
| The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | ||||
| CVE-2025-0580 | 1 Opencart | 1 Opencart | 2026-04-15 | 5.6 Medium |
| A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of the component REST API Module. The manipulation of the argument contentHash leads to incorrect authorization. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-55890 | 1 Man-group | 1 Dtale | 2026-04-15 | N/A |
| D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. | ||||
| CVE-2025-0591 | 1 Omron | 1 Cx-programmer | 2026-04-15 | 7.8 High |
| Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability. | ||||
| CVE-2025-7567 | 1 Shopxo | 1 Shopxo | 2026-04-15 | 4.3 Medium |
| A vulnerability was found in ShopXO up to 6.5.0 and classified as problematic. This issue affects some unknown processing of the file header.html. The manipulation of the argument lang/system_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7569 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in Bigotry OneBase up to 1.3.6. It has been declared as problematic. Affected by this vulnerability is the function parse_args of the file /tpl/think_exception.tpl. The manipulation of the argument args leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7576 | 2026-04-15 | 7.3 High | ||
| A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16 and classified as critical. Affected by this issue is some unknown functionality of the file /priv/production/production.html of the component Production Tools. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0595 | 2026-04-15 | 8.7 High | ||
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session. | ||||