Export limit exceeded: 344763 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344763 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39566 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-04-14 | 4 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26. | ||||
| CVE-2026-38532 | 2026-04-14 | 8.1 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38530 | 2026-04-14 | 8.1 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38529 | 2026-04-14 | 8.8 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||||
| CVE-2026-38528 | 2026-04-14 | 7.1 High | ||
| Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | ||||
| CVE-2026-38527 | 2026-04-14 | 8.5 High | ||
| A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | ||||
| CVE-2026-38526 | 2026-04-14 | 9.9 Critical | ||
| An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2026-34627 | 2026-04-14 | 7.8 High | ||
| InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-33118 | 1 Microsoft | 1 Edge Chromium | 2026-04-14 | 4.3 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2026-27906 | 1 Microsoft | 6 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 3 more | 2026-04-14 | 4.4 Medium |
| Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-27246 | 2026-04-14 | 9.3 Critical | ||
| Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-26154 | 1 Microsoft | 7 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and 4 more | 2026-04-14 | 7.5 High |
| Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2026-26143 | 1 Microsoft | 1 Powershell | 2026-04-14 | 7.8 High |
| Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2026-24906 | 2026-04-14 | N/A | ||
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only | ||||
| CVE-2025-70023 | 2026-04-14 | N/A | ||
| An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. | ||||
| CVE-2025-69993 | 2026-04-14 | 6.1 Medium | ||
| Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. | ||||
| CVE-2025-65136 | 2026-04-14 | 6.1 Medium | ||
| In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | ||||
| CVE-2025-65135 | 2026-04-14 | 9.8 Critical | ||
| In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | ||||
| CVE-2025-65132 | 2026-04-14 | 6.1 Medium | ||
| alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | ||||
| CVE-2025-63939 | 2026-04-14 | 9.8 Critical | ||
| Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | ||||