Export limit exceeded: 358858 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (358858 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9652 | 2026-04-15 | 6.1 Medium | ||
| The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9647 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Kama SpamBlock plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST values in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9636 | 2026-04-15 | 9.8 Critical | ||
| The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator. | ||||
| CVE-2024-9616 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The BlockMeister – Block Pattern Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9611 | 2026-04-15 | 6.1 Medium | ||
| The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-8000 | 2026-04-15 | 5.3 Medium | ||
| On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug. | ||||
| CVE-2024-9544 | 2 Mapsvg, Wordpress | 2 Mapsvg, Wordpress | 2026-04-15 | 6.4 Medium |
| The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9543 | 2026-04-15 | 6.4 Medium | ||
| The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9508 | 2026-04-15 | 7.8 High | ||
| Horner Automation Cscape contains a memory corruption vulnerability, which could allow an attacker to disclose information and execute arbitrary code. | ||||
| CVE-2024-9521 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9506 | 2026-04-15 | 3.7 Low | ||
| Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability. | ||||
| CVE-2024-9501 | 2026-04-15 | 9.8 Critical | ||
| The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | ||||
| CVE-2024-9499 | 2026-04-15 | 8.6 High | ||
| DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Win 98SE Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | ||||
| CVE-2024-9498 | 2026-04-15 | 8.6 High | ||
| DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | ||||
| CVE-2024-9497 | 2026-04-15 | 8.6 High | ||
| DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress 4 SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | ||||
| CVE-2025-1400 | 2026-04-15 | 3.1 Low | ||
| Out-of-bounds Read vulnerability in unpack_response (conn.c) in libplctag from 2.0 through 2.6.3 allows Overread Buffers via network. | ||||
| CVE-2024-7756 | 1 Lenovo | 3 10w Firmware, Thinkpad L390 Firmware, Thinkpad L390 Yoga Firmware | 2026-04-15 | 6.8 Medium |
| A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell. | ||||
| CVE-2025-1415 | 2026-04-15 | N/A | ||
| A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2024-7737 | 1 Dassault | 3 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023, 3dswymer 3dexperience 2024 | 2026-04-15 | 8.7 High |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-14150 | 1 Ibm | 1 Webmethods Integration On Prem Integration Server | 2026-04-15 | 6.5 Medium |
| IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. | ||||