Search Results (363250 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-62969 2 Wordpress, Xlplugins 2 Wordpress, Nextmove 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Stored XSS.This issue affects NextMove Lite: from n/a through <= 2.23.0.
CVE-2026-3321 1 On24 2 On24 Q&a Chat, On24 Q A Chat 2026-04-01 N/A
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
CVE-2026-4317 1 Umami Software Application 1 Umami Software 2026-04-01 N/A
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
CVE-2025-14213 1 Cato Networks 1 Socket 2026-04-01 N/A
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system.
CVE-2026-5190 1 Aws 1 Aws-c-event-stream 2026-04-01 7.5 High
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.
CVE-2026-5020 1 Totolink 2 A3600r, A3600r Firmware 2026-04-01 6.3 Medium
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
CVE-2026-34509 1 Openclaw 1 Openclaw 2026-04-01 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-34508 1 Openclaw 1 Openclaw 2026-04-01 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-9497 1 Microchip 1 Timeprovider 4100 2026-04-01 9.8 Critical
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
CVE-2025-69092 2 Wordpress, Wpdeveloper 2 Wordpress, Essential Addons For Elementor 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.
CVE-2025-67937 3 Mikado-themes, Qodeinteractive, Wordpress 3 Hendon, Hendon, Wordpress 2026-04-01 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7.
CVE-2025-67936 3 Mikado-themes, Qodeinteractive, Wordpress 3 Curly, Curly, Wordpress 2026-04-01 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.
CVE-2025-67935 3 Mikado-themes, Qodeinteractive, Wordpress 3 Optimize, Optimize, Wordpress 2026-04-01 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4.
CVE-2025-67543 2 Catchthemes, Wordpress 2 Essential Widgets, Wordpress 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2.
CVE-2025-64380 3 Booster, Pluggabl, Wordpress 3 Booster For Woocommerce, Booster For Woocommerce, Wordpress 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Stored XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.3.2.
CVE-2025-64379 3 Booster, Pluggabl, Wordpress 3 Booster For Woocommerce, Booster For Woocommerce, Wordpress 2026-04-01 4.3 Medium
Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0.
CVE-2025-64258 2 Wordpress, Wpwebelite 2 Wordpress, Follow My Blog Post 2026-04-01 7.5 High
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9.
CVE-2025-64224 2 Themegoods, Wordpress 2 Grand Conference, Wordpress 2026-04-01 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected XSS.This issue affects Grand Conference Theme Custom Post Type: from n/a through < 2.6.4.
CVE-2025-64196 3 Booster, Pluggabl, Wordpress 3 Booster For Woocommerce, Booster For Woocommerce, Wordpress 2026-04-01 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.2.5.
CVE-2025-63045 2 Averta, Wordpress 2 Master Slider Pro, Wordpress 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12.