Export limit exceeded: 367078 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367078 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-10708 1 Bowo 1 System Dashboard 2025-05-17 4.9 Medium
The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server
CVE-2022-38946 1 Divscorp 1 Doctor-appointment 2025-05-17 9.8 Critical
Arbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code.
CVE-2022-38947 1 Jigar-sable 1 Flipkart-clone-php 2025-05-17 9.8 Critical
SQL Injection vulnerability in Flipkart-Clone-PHP version 1.0 in entry.php in product_title parameter, allows attackers to execute arbitrary code.
CVE-2024-10480 1 Wp3dprinting 1 3dprint Lite 2025-05-17 4.3 Medium
The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2024-10893 1 Wpbookingcalendar 1 Wp Booking Calendar 2025-05-17 4.8 Medium
The WP Booking Calendar WordPress plugin before 10.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-9934 2 Aueda, Silkypress 2 Wp-imagezoom, Wp Image Zoom 2025-05-17 6.1 Medium
The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2024-8378 1 10up 1 Safe Svg 2025-05-17 4.8 Medium
The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.
CVE-2024-51242 1 Eladmin 1 Eladmin 2025-05-17 6.5 Medium
A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF.
CVE-2024-5429 1 Logichunt 1 Logo Slider 2025-05-17 7.6 High
The Logo Slider WordPress plugin before 4.1.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2024-48411 2 Mayurik, Online Tours And Travels Management System Project 2 Online Tours \& Travels Management System, Online Tours And Travels Management System 2025-05-17 9.8 Critical
itsourcecode Online Tours and Travels Management System v1.0 is vulnerable to SQL Injection (SQLI) via a crafted payload to the val-email parameter in forget_password.php.
CVE-2024-8207 2 Linux, Mongodb 2 Linux Kernel, Mongodb 2025-05-16 6.4 Medium
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue
CVE-2024-45983 1 Kishan0725 1 Hospital Management System 2025-05-16 6.3 Medium
A Cross-Site Request Forgery (CSRF) vulnerability exists in kishan0725's Hospital Management System version 6.3.5. The vulnerability allows an attacker to craft a malicious HTML form that submits a request to delete a doctor record. By enticing an authenticated admin user to visit the specially crafted web page, the attacker can leverage the victim's browser to make unauthorized requests to the vulnerable endpoint, effectively allowing the attacker to perform actions on behalf of the admin without their consent.
CVE-2024-39928 2 Apache, Apache Software Foundation 2 Linkis, Apache Linkis Spark Engineconn 2025-05-16 7.5 High
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
CVE-2024-3673 1 Salephpscripts 1 Web Directory Free 2025-05-16 9.1 Critical
The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.
CVE-2023-24163 1 Hutool 1 Hutool 2025-05-16 9.8 Critical
SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.
CVE-2023-24468 1 Microfocus 1 Netiq Advanced Authentication 2025-05-16 9.8 Critical
Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2
CVE-2022-48425 1 Linux 1 Linux Kernel 2025-05-16 7.8 High
In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.
CVE-2024-7891 2 Christoph Nagel, Just-a-web-developer 2 Floating Contact Button, Floating Contact Button 2025-05-16 4.8 Medium
The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2024-7955 1 Squirrly 1 Starbox 2025-05-16 4.8 Medium
The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-7846 1 Yithemes 1 Yith Woocommerce Ajax Search 2025-05-16 5.4 Medium
YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts.