Search Results (362695 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-1216 2 Rebelcode, Wordpress 2 Rss Aggregator – Rss Import, News Feeds, Feed To Post, And Autoblogging, Wordpress 2026-04-15 7.2 High
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-1931 2 Jonschr, Wordpress 2 Rent Fetch, Wordpress 2026-04-15 7.2 High
The Rent Fetch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'keyword' parameter in all versions up to, and including, 0.32.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1277 2 Kaizencoders, Wordpress 2 Url Shortify – Simple And Easy Url Shortener, Wordpress 2026-04-15 4.7 Medium
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
CVE-2026-1072 2 Jamesits, Wordpress 2 Keybase.io Verification, Wordpress 2026-04-15 4.3 Medium
The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1304 2 Stellarwp, Wordpress 2 Membership Plugin - Restrict Content, Wordpress 2026-04-15 4.4 Medium
The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1666 2 Codename065, Wordpress 2 Download Manager Plugin, Wordpress 2026-04-15 6.1 Medium
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-2296 2 Acowebs, Wordpress 2 Product Addons For Woocommerce – Product Options With Custom Fields, Wordpress 2026-04-15 7.2 High
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.
CVE-2026-1938 2 Wordpress, Yaycommerce 2 Wordpress, Yaymail – Woocommerce Email Customizer 2026-04-15 5.3 Medium
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.
CVE-2026-1943 2 Wordpress, Yaycommerce 2 Wordpress, Yaymail – Woocommerce Email Customizer 2026-04-15 4.4 Medium
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-34630 3 Adobe, Apple, Microsoft 3 Bridge, Macos, Windows 2026-04-15 7.8 High
Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2026-27292 2 Adobe, Microsoft 2 Framemaker, Windows 2026-04-15 7.8 High
Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2026-27293 2 Adobe, Microsoft 2 Framemaker, Windows 2026-04-15 7.8 High
Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2026-0880 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 8.8 High
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0881 1 Mozilla 2 Firefox, Thunderbird 2026-04-15 10 Critical
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
CVE-2026-0882 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 8.8 High
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0883 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 5.3 Medium
Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0884 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 9.8 Critical
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0886 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 5.3 Medium
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0887 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2026-04-15 4.3 Medium
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
CVE-2026-0888 1 Mozilla 2 Firefox, Thunderbird 2026-04-15 5.3 Medium
Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.