Export limit exceeded: 344942 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344942 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344942 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53444 | 2 Deluxethemes, Wordpress | 2 Userpro, Wordpress | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11. | ||||
| CVE-2025-15635 | 2 Wordpress, Zaytech | 2 Wordpress, Smart Online Order For Clover | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0. | ||||
| CVE-2025-15636 | 2 Emarket-design, Wordpress | 2 Youtube Showcase, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1. | ||||
| CVE-2026-20132 | 1 Cisco | 1 Identity Services Engine Software | 2026-04-15 | 4.8 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. | ||||
| CVE-2026-20061 | 1 Cisco | 1 Unity Connection | 2026-04-15 | 4.3 Medium |
| A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device. | ||||
| CVE-2026-20059 | 1 Cisco | 1 Unity Connection | 2026-04-15 | 6.1 Medium |
| A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | ||||
| CVE-2026-32631 | 1 Gitforwindows | 1 Git | 2026-04-15 | 7.4 High |
| Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3. | ||||
| CVE-2026-0877 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-15 | 8.1 High |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. | ||||
| CVE-2026-0885 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-15 | 6.5 Medium |
| Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. | ||||
| CVE-2026-0684 | 2 Codepeople, Wordpress | 2 Cp Image Store With Slideshow, Wordpress | 2026-04-15 | 4.3 Medium |
| The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | ||||
| CVE-2026-0680 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-0916 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0820 | 2 Sweetdaisy86, Wordpress | 2 Repairbuddy – Repair Shop Crm & Booking Plugin For Wordpress, Wordpress | 2026-04-15 | 4.3 Medium |
| The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. | ||||
| CVE-2026-0691 | 2 Creativemindssolutions, Wordpress | 2 Cm E-mail Blacklist – Simple Email Filtering For Safer Registration, Wordpress | 2026-04-15 | 4.4 Medium |
| The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-0725 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-6312 | 1 Google | 1 Chrome | 2026-04-15 | 3.1 Low |
| Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-30461 | 1 Daylightstudio | 1 Fuel Cms | 2026-04-15 | N/A |
| Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | ||||
| CVE-2026-33119 | 1 Microsoft | 1 Edge | 2026-04-15 | 5.4 Medium |
| User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-33118 | 1 Microsoft | 1 Edge Chromium | 2026-04-15 | 4.3 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2026-32214 | 1 Microsoft | 29 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 26 more | 2026-04-15 | 5.5 Medium |
| Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally. | ||||