Export limit exceeded: 346989 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 346989 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346989 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4900 | 1 Code-projects | 1 Online Food Ordering System | 2026-04-24 | 5.3 Medium |
| A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings. | ||||
| CVE-2026-4899 | 1 Code-projects | 1 Online Food Ordering System | 2026-04-24 | 2.4 Low |
| A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /dbfood/food.php. The manipulation of the argument cuisines results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-4877 | 1 Itsourcecode | 1 Payroll Management System | 2026-04-24 | 4.3 Medium |
| A security flaw has been discovered in itsourcecode Payroll Management System up to 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument page results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-4875 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-04-24 | 4.7 Medium |
| A vulnerability was determined in itsourcecode Free Hotel Reservation System 1.0. The affected element is an unknown function of the file /admin/mod_amenities/index.php?view=add. This manipulation of the argument image causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-4862 | 1 Utt | 1 Hiper 1250gw | 2026-04-24 | 8.8 High |
| A security vulnerability has been detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file /goform/formConfigDnsFilterGlobal of the component Parameter Handler. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-4847 | 1 Dameng100 | 1 Muucmf | 2026-04-24 | 4.3 Medium |
| A vulnerability was found in dameng100 muucmf 1.9.5.20260309. The impacted element is an unknown function of the file /admin/config/list.html. Performing a manipulation of the argument Name results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4845 | 1 Dameng100 | 1 Muucmf | 2026-04-24 | 4.3 Medium |
| A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4844 | 1 Code-projects | 1 Online Food Ordering System | 2026-04-24 | 7.3 High |
| A vulnerability was detected in code-projects Online Food Ordering System 1.0. This issue affects some unknown processing of the file /admin.php of the component Admin Login Module. The manipulation of the argument Username results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | ||||
| CVE-2026-32528 | 2 Don-themes, Wordpress | 2 Riode, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29. | ||||
| CVE-2026-32530 | 2 Wordpress, Wpfunnels | 2 Wordpress, Creator Lms | 2026-04-24 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. | ||||
| CVE-2026-32531 | 2 Gavias, Wordpress | 2 Kunco, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5. | ||||
| CVE-2026-32537 | 2 Visualportfolio, Wordpress | 2 Visual Portfolio, Photo Gallery & Post Grid, Wordpress | 2026-04-24 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1. | ||||
| CVE-2026-32538 | 2 Noor Alam, Wordpress | 2 Smtp Mailer, Wordpress | 2026-04-24 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24. | ||||
| CVE-2026-32539 | 2 Publishpress, Wordpress | 2 Publishpress Revisions, Wordpress | 2026-04-24 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23. | ||||
| CVE-2026-32544 | 2 Oopspam, Wordpress | 2 Oopspam Anti-spam, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62. | ||||
| CVE-2026-32545 | 2 Taboola, Wordpress | 2 Taboola Pixel, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Taboola Taboola Pixel taboola-pixel allows Reflected XSS.This issue affects Taboola Pixel: from n/a through <= 1.1.4. | ||||
| CVE-2026-32546 | 2 Stellarwp, Wordpress | 2 Restrict Content, Wordpress | 2026-04-24 | 7.5 High |
| Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22. | ||||
| CVE-2026-32573 | 2 Neliosoftware, Wordpress | 2 Nelio Ab Testing, Wordpress | 2026-04-24 | 9.1 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7. | ||||
| CVE-2026-4075 | 2 Wordpress, Xenioushk | 2 Wordpress, Bwl Advanced Faq Manager Lite | 2026-04-24 | 6.4 Medium |
| The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4335 | 2 Shortpixel, Wordpress | 2 Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif, Wordpress | 2026-04-24 | 5.4 Medium |
| The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment. | ||||