Export limit exceeded: 336870 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336870 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4734 | 1 Yoyofr | 1 Modizer | 2026-03-24 | N/A |
| Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in yoyofr modizer (libs/libopenmpt/openmpt-trunk/include/premake/contrib/curl/lib modules). This vulnerability is associated with program files imap.C. This issue affects modizer: before v4.3. | ||||
| CVE-2026-4744 | 1 Rizonesoft | 1 Notepad3 | 2026-03-24 | N/A |
| Out-of-bounds Read vulnerability in rizonesoft Notepad3 (scintilla/oniguruma/src modules). This vulnerability is associated with program files regcomp.C. This issue affects Notepad3: before 6.25.714.1. | ||||
| CVE-2026-4751 | 1 Tmate-io | 1 Tmate | 2026-03-24 | 5.3 Medium |
| NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmate: before 2.4.0. | ||||
| CVE-2026-4752 | 1 No-chicken | 1 Echo-mate | 2026-03-24 | 6.4 Medium |
| Use After Free vulnerability in No-Chicken Echo-Mate.This issue affects Echo-Mate: before V250329. | ||||
| CVE-2026-4756 | 1 Molotovcherry | 1 Android-imagemagick7 | 2026-03-24 | 7.8 High |
| Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11. | ||||
| CVE-2026-3533 | 2 Artbees, Wordpress | 2 Jupiter X Core, Wordpress | 2026-03-24 | 8.8 High |
| The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration | ||||
| CVE-2026-4617 | 1 Sourcecodester | 1 Patients Waiting Area Queue Management System | 2026-03-24 | 7.3 High |
| A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-4640 | 1 Galaxy Software Services Corporation | 1 Vitals Esp | 2026-03-24 | 7.5 High |
| Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information. | ||||
| CVE-2026-33848 | 1 Linkingvision | 1 Rapidvms | 2026-03-24 | 8.8 High |
| Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96. | ||||
| CVE-2026-33853 | 1 Molotovcherry | 1 Android-imagemagick7 | 2026-03-24 | 5.5 Medium |
| NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10. | ||||
| CVE-2026-4001 | 2 Acowebs, Wordpress | 2 Woocommerce Custom Product Addons Pro, Wordpress | 2026-03-24 | 9.8 Critical |
| The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}). | ||||
| CVE-2026-4066 | 2 Inc2734, Wordpress | 2 Smart Custom Fields, Wordpress | 2026-03-24 | 4.3 Medium |
| The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post. | ||||
| CVE-2026-4283 | 2 Legalweb, Wordpress | 2 Wp Dsgvo Tools, Wordpress | 2026-03-24 | 9.1 Critical |
| The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode. | ||||
| CVE-2026-4612 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-03-24 | 7.3 High |
| A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the file /hotel/admin/mod_users/index.php?view=edit&id=8 of the component Parameter Handler. The manipulation of the argument account_id leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4613 | 1 Sourcecodester | 1 Ecommerce System | 2026-03-24 | 7.3 High |
| A vulnerability was found in SourceCodester E-Commerce Site 1.0. This vulnerability affects unknown code of the file /products.php. The manipulation of the argument Search results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-4615 | 1 Sourcecodester | 1 Online Catering Reservation | 2026-03-24 | 7.3 High |
| A vulnerability was identified in SourceCodester Online Catering Reservation 1.0. Impacted is an unknown function of the file /search.php. Such manipulation of the argument rcode leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | ||||
| CVE-2026-4625 | 1 Sourcecodester | 1 Online Admission System | 2026-03-24 | 7.3 High |
| A flaw has been found in SourceCodester Online Admission System 1.0. This affects an unknown function of the file /programmes.php. Executing a manipulation of the argument program can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2026-4627 | 1 D-link | 2 Dir-825, Dir-825r | 2026-03-24 | 7.2 High |
| A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected is the function handler_update_system_time of the file libdeuteron_modules.so of the component NTP Service. The manipulation results in os command injection. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-4639 | 1 Galaxy Software Services Corporation | 1 Vitals Esp | 2026-03-24 | 8.8 High |
| Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges. | ||||
| CVE-2025-8349 | 1 Tawk | 2 Live Chat, Tawk.to Live Chat | 2026-03-24 | N/A |
| Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | ||||