Export limit exceeded: 20401 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11728 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11728 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6771 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 9.8 Critical |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | ||||
| CVE-2016-7836 | 1 Skygroup | 1 Skysea Client View | 2026-04-22 | 9.8 Critical |
| SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program. | ||||
| CVE-2025-4431 | 1 Krasenslavov | 1 Featured Image Plus | 2026-04-22 | 4.3 Medium |
| The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post. | ||||
| CVE-2026-6768 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 9.8 Critical |
| Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2025-6786 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 5.3 Medium |
| The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to. | ||||
| CVE-2025-7692 | 2026-04-22 | 8.1 High | ||
| The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number. | ||||
| CVE-2010-0738 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2026-04-22 | 5.3 Medium |
| The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. | ||||
| CVE-2016-4437 | 2 Apache, Redhat | 6 Aurora, Shiro, Fuse and 3 more | 2026-04-22 | 9.8 Critical |
| Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. | ||||
| CVE-2014-3120 | 3 Elastic, Redhat, Rhel Sam | 7 Elasticsearch, Fuse Esb Enterprise, Fuse Management Console and 4 more | 2026-04-22 | 8.1 High |
| The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. | ||||
| CVE-2025-7778 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 9.8 Critical |
| The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-10902 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 4.3 Medium |
| The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data. | ||||
| CVE-2025-6680 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-04-22 | 4.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information. | ||||
| CVE-2025-12005 | 2 Rextheme, Wordpress | 2 Wp Vr, Wordpress | 2026-04-22 | 4.3 Medium |
| The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options. | ||||
| CVE-2025-10484 | 3 Fmeaddons, Woocommerce, Wordpress | 3 Registration And Login With Mobile Phone Number For Woocommerce, Woocommerce, Wordpress | 2026-04-22 | 9.8 Critical |
| The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | ||||
| CVE-2017-8543 | 1 Microsoft | 10 Windows 10 1507, Windows 10 1511, Windows 10 1607 and 7 more | 2026-04-22 | 9.8 Critical |
| Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability". | ||||
| CVE-2016-3427 | 8 Apache, Canonical, Debian and 5 more | 42 Cassandra, Ubuntu Linux, Debian Linux and 39 more | 2026-04-22 | 9.8 Critical |
| Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. | ||||
| CVE-2025-11163 | 2 Wordpress, Wpmudev | 2 Wordpress, Smartcrawl | 2026-04-22 | 4.3 Medium |
| The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings. | ||||
| CVE-2025-11227 | 3 Givew, Givewp, Wordpress | 3 Donation Plugin And Fundraising Platform, Givewp, Wordpress | 2026-04-22 | 6.5 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns. | ||||
| CVE-2011-3544 | 4 Canonical, Oracle, Redhat and 1 more | 9 Ubuntu Linux, Jdk, Jre and 6 more | 2026-04-22 | 9.8 Critical |
| Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. | ||||
| CVE-2013-2423 | 4 Canonical, Opensuse, Oracle and 1 more | 5 Ubuntu Linux, Opensuse, Jre and 2 more | 2026-04-22 | 3.7 Low |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager. | ||||