Export limit exceeded: 366908 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (366908 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-6142 1 Armanidrisi 1 Dev Blog 2025-05-19 5.4 Medium
Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.
CVE-2023-45121 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'desc' parameter of the /update.php?q=addquiz resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-45120 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'qid' parameter of the /update.php?q=quiz&step=2 resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-45119 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'n' parameter of the /update.php?q=quiz resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-45118 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'fdid' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-45117 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'eid' parameter of the /update.php?q=rmquiz resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-45116 1 Projectworlds 1 Online Examination System 2025-05-19 8.8 High
Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'demail' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2023-6385 1 Wordpress Ping Optimizer Project 1 Wordpress Ping Optimizer 2025-05-19 4.3 Medium
The WordPress Ping Optimizer WordPress plugin through 2.35.1.3.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as clearing logs.
CVE-2024-1958 1 Wpb Show Core Project 1 Wpb Show Core 2025-05-19 4.8 Medium
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
CVE-2024-1956 1 Wpb Show Core Project 1 Wpb Show Core 2025-05-19 6.1 Medium
The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
CVE-2024-1292 1 Wpb Show Core Project 1 Wpb Show Core 2025-05-19 4.7 Medium
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2024-2016 1 Zhicms 1 Zhicms 2025-05-19 6.3 Medium
A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability.
CVE-2023-48902 1 Tramyardg 1 Autoexpress 2025-05-19 9.8 Critical
An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.
CVE-2023-48903 1 Tramyardg 1 Autoexpress 2025-05-19 6.1 Medium
Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php.
CVE-2023-48901 1 Tramyardg 1 Autoexpress 2025-05-19 9.8 Critical
A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter "id" within the getPhotosByCarId function call in details.php.
CVE-2024-2015 1 Zhicms 1 Zhicms 2025-05-19 6.3 Medium
A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability.
CVE-2024-2568 1 Heyewei 1 Jfinalcms 2025-05-19 4.7 Medium
A vulnerability has been found in heyewei JFinalCMS 5.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/div_data/delete?divId=9 of the component Custom Data Page. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257071.
CVE-2024-26466 1 Web-platform-tests 1 Web-platform-tests 2025-05-19 6.1 Medium
A DOM based cross-site scripting (XSS) vulnerability in the component /dom/ranges/Range-test-iframe.html of web-platform-tests/wpt before commit 938e843 allows attackers to execute arbitrary Javascript via sending a crafted URL.
CVE-2024-41693 1 Priority-software 1 Mashov 2025-05-19 6.1 Medium
Mashov - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-4149 1 Netgear 2 Ex6200, Ex6200 Firmware 2025-05-19 8.8 High
A vulnerability was found in Netgear EX6200 1.0.3.94. It has been classified as critical. This affects the function sub_54014. The manipulation of the argument host leads to buffer overflow. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.