Export limit exceeded: 345259 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345259 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8398 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-20315 | 1 Cisco | 1 Ios Xr Software | 2026-04-15 | 5.8 Medium |
| A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL. | ||||
| CVE-2025-8404 | 1 Supermicro | 1 Bmc | 2026-04-15 | 5.5 Medium |
| Stack buffer overflow vulnerability exists in the Supermicro BMC Shared library. An authenticated attacker with access to the BMC exploit stack buffer via a crafted header and achieve arbitrary code execution of the BMC’s firmware operating system. | ||||
| CVE-2025-8418 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | ||||
| CVE-2025-27594 | 2026-04-15 | 7.5 High | ||
| The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack. | ||||
| CVE-2025-8422 | 2 Fassionstorage, Wordpress | 2 All-in-one Client Management System Plugin, Wordpress | 2026-04-15 | 7.5 High |
| The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-8425 | 2 Mythemeshop, Wordpress | 2 My Wp Translate, Wordpress | 2026-04-15 | 8.8 High |
| The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2024-2036 | 2026-04-15 | 4.3 Medium | ||
| The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions. | ||||
| CVE-2024-4996 | 2026-04-15 | 9.8 Critical | ||
| Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | ||||
| CVE-2024-4999 | 2026-04-15 | N/A | ||
| A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through 6.95-1.Rt2880; APC Propeller: through 2-5.95-4.Rt3352. | ||||
| CVE-2025-23267 | 1 Nvidia | 1 Container Toolkit | 2026-04-15 | 8.5 High |
| NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of service. | ||||
| CVE-2024-5000 | 2026-04-15 | 7.5 High | ||
| An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size. | ||||
| CVE-2024-50054 | 1 Myscada | 2 Mypro Manager, Mypro Runtime | 2026-04-15 | 7.5 High |
| The back-end does not sufficiently verify the user-controlled filename parameter which makes it possible for an attacker to perform a path traversal attack and retrieve arbitrary files from the file system. | ||||
| CVE-2025-8445 | 3 Elementor, Shaikhaezaz80, Wordpress | 3 Elementor, Countdown Timer For Elementor, Wordpress | 2026-04-15 | 6.4 Medium |
| The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-20446 | 1 Cisco | 1 Nx-os | 2026-04-15 | 8.6 High |
| A vulnerability in the DHCPv6 relay agent of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of specific fields in a DHCPv6 RELAY-REPLY message. An attacker could exploit this vulnerability by sending a crafted DHCPv6 packet to any IPv6 address that is configured on an affected device. A successful exploit could allow the attacker to cause the dhcp_snoop process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition. | ||||
| CVE-2025-8452 | 2026-04-15 | 4.3 Medium | ||
| By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless, since the calculated default administrator password would no longer be the correct password. | ||||
| CVE-2025-8479 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-5023 | 1 Netflix | 1 Consoleme | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0. | ||||
| CVE-2025-8481 | 3 Elementor, Mdimran41, Wordpress | 3 Elementor, Blog Designer For Elementor Plugin, Wordpress | 2026-04-15 | 4.3 Medium |
| The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8557 | 1 Lenovo | 1 Xclarity Orchestrator | 2026-04-15 | 8.8 High |
| An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks. | ||||