Export limit exceeded: 18568 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350887 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11758 | 2 Codebangers, Wordpress | 2 All In One Time Clock Lite, Wordpress | 2026-04-15 | 6.5 Medium |
| The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules). | ||||
| CVE-2025-11765 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11772 | 1 Synaptics | 1 Fingerprint Driver | 2026-04-15 | 6.6 Medium |
| A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | ||||
| CVE-2025-11774 | 3 Iconics, Mitsubishi Electric, Mitsubishielectric | 5 Genesis64, Iconics Suite, Mobilehmi and 2 more | 2026-04-15 | 8.2 High |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 CFR3 and prior, and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute arbitrary executable files (EXE) when a legitimate user uses the keypad function by tampering with the configuration file for the function. This could allow the attacker to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a denial-of-service (DoS) condition on the system, through the execution of the EXE. | ||||
| CVE-2025-11775 | 1 Asus | 1 Armoury Crate | 2026-04-15 | N/A |
| An out-of-bounds read vulnerability has been identified in the asComSvc service. This vulnerability can be triggered by sending specially crafted requests, which may lead to a service crash or partial loss of functionality. This vulnerability only affects ASUS motherboard series products. Refer to the 'Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | ||||
| CVE-2025-14311 | 2026-04-15 | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JMRI.This issue affects JMRI: before 5.13.3. | ||||
| CVE-2025-11814 | 2 Brainstormforce, Wordpress | 2 Ultimate Addons For Wpbakery Page Builder, Wordpress | 2026-04-15 | 6.4 Medium |
| The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11816 | 2 Wordpress, Wplegalpages | 2 Wordpress, Wp Legal Pages | 2026-04-15 | 5.3 Medium |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan. | ||||
| CVE-2025-12695 | 1 Jfrog | 1 Dspy | 2026-04-15 | 5.9 Medium |
| The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class. | ||||
| CVE-2025-11820 | 3 Elementor, Iqonicdesign, Wordpress | 3 Elementor, Graphina, Wordpress | 2026-04-15 | 6.4 Medium |
| The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets. | ||||
| CVE-2025-11829 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11834 | 2 Wiellyam, Wordpress | 2 Wp Ad Gallery, Wordpress | 2026-04-15 | 6.4 Medium |
| The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11842 | 1 Smidge | 1 Smidge | 2026-04-15 | 6.3 Medium |
| A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-11843 | 1 Therefore Corporation | 1 Therefore | 2026-04-15 | N/A |
| Therefore Corporation GmbH has recently become aware that Therefore™ Online and Therefore™ On-Premises contain an account impersonation vulnerability. A malicious user may potentially be able to impersonate the web service account or the account of a service using the API when connecting to the Therefore™ Server. If the malicious user gains this impersonation user access, then it is possible for them to access the documents stored in Therefore™. This impersonation is at application level (Therefore access level), not the operating system level. | ||||
| CVE-2025-11851 | 1 Apeman | 1 Apeman | 2026-04-15 | 3.5 Low |
| A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11852 | 1 Apeman | 1 Apeman | 2026-04-15 | 5.3 Medium |
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12998 | 1 Typo3 | 1 Typo3 | 2026-04-15 | N/A |
| Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | ||||
| CVE-2025-11862 | 1 Rockwellautomation | 1 Verve Asset Manager | 2026-04-15 | N/A |
| A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | ||||
| CVE-2025-11864 | 1 Nucleoidai | 1 Nucleoid | 2026-04-15 | 7.3 High |
| A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote. | ||||
| CVE-2025-11906 | 1 Progress | 1 Flowmon | 2026-04-15 | 6.7 Medium |
| A vulnerability exists in Progress Flowmon versions prior 12.5.6 where certain system configuration files have incorrect file permissions, allowing a user with access to the default flowmon system user account used for SSH access to potentially escalate privileges to root during service initialization. | ||||