Search

Search Results (366468 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-56431 1 Xiph 1 Theora 2025-05-07 9.8 Critical
oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash.
CVE-2025-4156 1 Phpgurukul 1 Boat Booking System 2025-05-07 6.3 Medium
A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/change-image.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-4157 1 Phpgurukul 1 Boat Booking System 2025-05-07 6.3 Medium
A vulnerability was found in PHPGurukul Boat Booking System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/booking-details.php. The manipulation of the argument Status leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13569 1 Etoilewebdesign 1 Front End Users 2025-05-07 7.1 High
The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-13326 1 Ibuildapp 1 Ibuildapp 2025-05-07 6.1 Medium
The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2025-45751 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-05-07 5.4 Medium
SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field.
CVE-2022-3363 1 Ikus-soft 1 Rdiffweb 2025-05-07 9.8 Critical
Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7.
CVE-2022-39944 1 Apache 1 Linkis 2025-05-07 8.8 High
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.
CVE-2022-37202 1 Jflyfox 1 Jfinal Cms 2025-05-07 8.8 High
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list
CVE-2022-32407 1 Softr 1 Softr 2025-05-07 6.1 Medium
Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2022-31898 1 Gl-inet 4 Gl-ax1800, Gl-ax1800 Firmware, Gl-mt300n-v2 and 1 more 2025-05-07 6.8 Medium
gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters.
CVE-2022-2782 1 Octopus 1 Octopus Server 2025-05-07 9.1 Critical
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
CVE-2024-13098 1 Megamindstechnologies 1 Wordpress Email Newsletter 2025-05-07 5.4 Medium
The WordPress Email Newsletter WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-13094 1 Wptriggers 1 Wp Triggers Lite 2025-05-07 7.1 High
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2025-1453 1 Zephyrwest 1 Category Posts Widget 2025-05-07 4.8 Medium
The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-13057 1 Phycticio 1 Dyn Business Panel 2025-05-07 7.1 High
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-13056 1 Phycticio 1 Dyn Business Panel 2025-05-07 7.1 High
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-13055 1 Phycticio 1 Dyn Business Panel 2025-05-07 7.1 High
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2025-23044 1 Pwndoc Project 1 Pwndoc 2025-05-07 6.8 Medium
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
CVE-2022-27623 1 Synology 1 Diskstation Manager 2025-05-07 7.4 High
Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.