Export limit exceeded: 351659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351659 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9070 | 1 Bentoml | 1 Bentoml | 2026-04-15 | N/A |
| A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution. | ||||
| CVE-2024-9101 | 2026-04-15 | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set. | ||||
| CVE-2024-9100 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2026-04-15 | 6.5 Medium |
| Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal. | ||||
| CVE-2024-9102 | 2026-04-15 | N/A | ||
| phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export. | ||||
| CVE-2024-9103 | 1 Forcepoint | 1 Email Security | 2026-04-15 | 6.1 Medium |
| Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS. This issue affects Email Security through 8.5.5. | ||||
| CVE-2024-9104 | 2 Tophive, Wordpress | 2 Ultimate Ai, Wordpress | 2026-04-15 | 5.6 Medium |
| The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers. | ||||
| CVE-2024-9105 | 1 Tophive | 1 Ultimate Ai | 2026-04-15 | 9.8 Critical |
| The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2024-9106 | 1 Xunhuweb | 1 Wechat Social Login | 2026-04-15 | 9.8 Critical |
| The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value. | ||||
| CVE-2024-9108 | 1 Xunhuweb | 1 Wechat Social Login | 2026-04-15 | 9.8 Critical |
| The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-9111 | 2 Pickplugins, Wordpress | 2 Product Designer, Wordpress | 2026-04-15 | 6.4 Medium |
| The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9118 | 2026-04-15 | 6.4 Medium | ||
| The QS Dark Mode Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9116 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Monkee-Boy Essentials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9119 | 2026-04-15 | 6.4 Medium | ||
| The SVG Complete plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9129 | 1 Zend | 1 Zend Server | 2026-04-15 | N/A |
| In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino | ||||
| CVE-2024-9135 | 2026-04-15 | 5.3 Medium | ||
| On affected platforms running Arista EOS with BGP Link State configured, BGP peer flap can cause the BGP agent to leak memory. This may result in BGP routing processing being terminated and route flapping. | ||||
| CVE-2024-9137 | 1 Moxa | 7 Edf-g1002-bp, Edr-8010, Edr-g9004 and 4 more | 2026-04-15 | 9.4 Critical |
| The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise. | ||||
| CVE-2024-9138 | 2026-04-15 | 7.2 High | ||
| Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk. | ||||
| CVE-2024-9139 | 1 Moxa | 8 Edf-g1002-bp Firmware, Edr-8010 Firmware, Edr-810 Firmware and 5 more | 2026-04-15 | 7.2 High |
| The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. | ||||
| CVE-2024-9140 | 2026-04-15 | 9.8 Critical | ||
| Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality. | ||||
| CVE-2024-9141 | 2026-04-15 | 5.4 Medium | ||
| Cross-Site Scripting (XSS) vulnerability in the Oct8ne system. This flaw could allow an attacker to embed harmful JavaScript code into the body of a chat message. This manipulation occurs when the chat content is intercepted and altered, leading to the execution of the JavaScript payload. | ||||