Export limit exceeded: 364976 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364976 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12701 | 2026-04-15 | 6.1 Medium | ||
| The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-52162 | 2026-04-15 | 6.5 Medium | ||
| agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input. | ||||
| CVE-2025-52163 | 2026-04-15 | 6.5 Medium | ||
| A Server-Side Request Forgery (SSRF) in the component TunnelServlet of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows attackers to forcefully initiate connections to arbitrary internal and external resources via a crafted request. This can lead to sensitive data exposure. | ||||
| CVE-2025-53867 | 2026-04-15 | 9.8 Critical | ||
| Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. | ||||
| CVE-2023-49367 | 1 Kyocera | 1 Command Center Rx | 2026-04-15 | 8.8 High |
| An issue in user interface in Kyocera Command Center RX EXOSYS M5521cdn allows remote to obtain sensitive information via inspecting sent packages by user. | ||||
| CVE-2025-28357 | 1 Neto | 1 Cms | 2026-04-15 | 8.8 High |
| A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request. | ||||
| CVE-2025-50864 | 2026-04-15 | 6.5 Medium | ||
| An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation. | ||||
| CVE-2025-50753 | 1 Mitrastar | 1 Gpt-2741gnac-n2 | 2026-04-15 | 8.4 High |
| Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell. | ||||
| CVE-2025-51989 | 1 Evolution Consulting | 1 Hrmaster | 2026-04-15 | 7 High |
| HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any, previously not registered, email address. | ||||
| CVE-2025-50567 | 1 Saurus | 1 Saurus Cms | 2026-04-15 | 10 Critical |
| Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. | ||||
| CVE-2025-51965 | 1 Ourphp | 1 Ourphp | 2026-04-15 | 6.1 Medium |
| OURPHP thru 8.6.1 is vulnerable to Cross-Site Scripting (XSS) via the "Name" field of the "Complete Profile" functionality under the "My User Center" page, which can be accessed after registering through the front-end interface. | ||||
| CVE-2025-56399 | 2 Alexusmai, Laravel | 2 Laravel-file-manager, Laravel | 2026-04-15 | 8.8 High |
| alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code. | ||||
| CVE-2025-56438 | 1 Nous | 1 W3 Smart Wifi Camera | 2026-04-15 | 6.8 Medium |
| An issue in the firmware update mechanism of Nous W3 Smart WiFi Camera v1.33.50.82 allows unauthenticated and physically proximate attackers to escalate privileges to root via supplying a crafted update.tar archive file stored on a FAT32-formatted SD card. | ||||
| CVE-2025-56447 | 1 Tm2 | 1 Monitoring | 2026-04-15 | 9.8 Critical |
| TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure. | ||||
| CVE-2025-57457 | 1 Curo | 1 Uc300 | 2026-04-15 | 8.8 High |
| An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter. | ||||
| CVE-2025-60419 | 1 Realtek | 1 Ndis | 2026-04-15 | 6.2 Medium |
| An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service. | ||||
| CVE-2025-60805 | 1 Bessystem | 1 Application Server | 2026-04-15 | 7.5 High |
| An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml. | ||||
| CVE-2025-61524 | 1 Casbin | 1 Casdoor | 2026-04-15 | 7.2 High |
| An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login | ||||
| CVE-2025-69752 | 1 Ideagen | 1 Q-pulse | 2026-04-15 | 4.3 Medium |
| An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL. | ||||
| CVE-2025-71056 | 1 Szgcom | 1 Gcom Epon 1ge Onu | 2026-04-15 | 8.1 High |
| Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | ||||