Search

Search Results (363761 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-10709 2 Antongorodezkiy, Yadisk Files 2 Yadisk Files, Yadisk Files 2026-01-09 6.8 Medium
The YaDisk Files WordPress plugin through 1.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-67269 1 Gpsd Project 1 Gpsd 2026-01-09 7.5 High
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
CVE-2022-48220 1 Hp 76 Elite Mini 600 G9, Elite Mini 600 G9 Desktop Pc, Elite Mini 600 G9 Firmware and 73 more 2026-01-09 6.4 Medium
Potential vulnerabilities have been identified in certain HP Desktop PC products using the HP TamperLock feature, which might allow intrusion detection bypass via a physical attack. HP is releasing firmware and guidance to mitigate these potential vulnerabilities.
CVE-2022-48219 1 Hp 76 Elite Mini 600 G9, Elite Mini 600 G9 Desktop Pc, Elite Mini 600 G9 Firmware and 73 more 2026-01-09 6.4 Medium
Potential vulnerabilities have been identified in certain HP Desktop PC products using the HP TamperLock feature, which might allow intrusion detection bypass via a physical attack. HP is releasing firmware and guidance to mitigate these potential vulnerabilities.
CVE-2025-60458 1 Antimof 1 Uxplay 2026-01-09 6.5 Medium
UxPlay 1.72 contains a double free vulnerability in its RTSP request handling. A specially crafted RTSP TEARDOWN request can trigger multiple calls to free() on the same memory address, potentially causing a Denial of Service.
CVE-2025-15168 2 Angeljudesuarez, Itsourcecode 2 Student Management System, Student Management System 2026-01-09 7.3 High
A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
CVE-2025-6200 1 Ayecode 1 Geodirectory 2026-01-09 5.9 Medium
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-2561 1 Ninjaforms 1 Ninja Forms 2026-01-09 4.8 Medium
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-2560 1 Ninjaforms 1 Ninja Forms 2026-01-09 4.8 Medium
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-2524 1 Ninjaforms 1 Ninja Forms 2026-01-09 4.8 Medium
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-1627 1 Qodeinteractive 1 Qi Blocks 2026-01-09 5.4 Medium
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-1626 1 Qodeinteractive 1 Qi Blocks 2026-01-09 5.4 Medium
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Countdown block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-1625 1 Qodeinteractive 1 Qi Blocks 2026-01-09 5.4 Medium
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-1382 1 Lordlinus 1 Contact Us 2026-01-09 6.1 Medium
The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-9828 1 Taskbuilder 1 Taskbuilder 2026-01-09 4.1 Medium
The Taskbuilder WordPress plugin before 3.0.5 does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks
CVE-2024-9458 1 Reservit 1 Reservit Hotel 2026-01-09 4.8 Medium
The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-3643 2 Mndpsingh287, Newsletter Popup Project 2 Newsletter Popup, Newsletter Popup 2026-01-09 8.8 High
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
CVE-2024-3406 1 Goprayer 1 Wp Prayer 2026-01-09 8.8 High
The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-13669 1 Margiov 1 Calendapp 2026-01-09 6.1 Medium
The CalendApp WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-13352 1 Alwayscurious 1 Legull 2026-01-09 7.1 High
The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.