Export limit exceeded: 333583 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (333583 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-20115 | 1 Next Click Ventures | 1 Realtyscript | 2026-03-16 | 7.2 High |
| Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users. | ||||
| CVE-2015-20113 | 1 Next Click Ventuers | 1 Realtyscript | 2026-03-16 | 5.3 Medium |
| Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in users visit them, or inject persistent scripts that execute in the application context. | ||||
| CVE-2013-20005 | 1 Qool | 1 Qool Cms | 2026-03-16 | 5.3 Medium |
| Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent. | ||||
| CVE-2026-4063 | 2 Wordpress, Wpzoom | 2 Wordpress, Social Icons Widget & Block – Social Media Icons & Share Buttons | 2026-03-16 | 4.3 Medium |
| The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter. | ||||
| CVE-2026-32597 | 1 Jpadilla | 1 Pyjwt | 2026-03-16 | 7.5 High |
| PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0. | ||||
| CVE-2026-32448 | 2 Eric Teubert, Wordpress | 2 Podlove Podcast Publisher, Wordpress | 2026-03-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.This issue affects Podlove Podcast Publisher: from n/a through <= 4.3.3. | ||||
| CVE-2026-32433 | 2 Codepeople, Wordpress | 2 Cp Contact Form With Paypal, Wordpress | 2026-03-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61. | ||||
| CVE-2026-32430 | 2 Ideabox, Wordpress | 2 Powerpack Addons For Elementor, Wordpress | 2026-03-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IdeaBox Creations PowerPack Addons for Elementor powerpack-lite-for-elementor allows Stored XSS.This issue affects PowerPack Addons for Elementor: from n/a through <= 2.9.9. | ||||
| CVE-2026-32423 | 2 Bowo, Wordpress | 2 Admin And Site Enhancements Ase, Wordpress | 2026-03-16 | 5.4 Medium |
| Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 8.4.0. | ||||
| CVE-2026-32412 | 2 Giftup, Wordpress | 2 Gift Up Gift Cards For Wordpress And Woocommerce, Wordpress | 2026-03-16 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7. | ||||
| CVE-2026-32410 | 2 Woobewoo, Wordpress | 2 Wbw Currency Switcher For Woocommerce, Wordpress | 2026-03-16 | 5.3 Medium |
| Missing Authorization vulnerability in WBW Plugins WBW Currency Switcher for WooCommerce woo-currency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WBW Currency Switcher for WooCommerce: from n/a through <= 2.2.5. | ||||
| CVE-2026-32409 | 2 Wordpress, Wpmu Dev - Your All-in-one Wordpress Platform | 2 Wordpress, Forminator | 2026-03-16 | 5.3 Medium |
| Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through <= 1.50.2. | ||||
| CVE-2026-32407 | 2 Wordpress, Wpclever | 2 Wordpress, Wpc Smart Wishlist For Woocommerce | 2026-03-16 | 4.3 Medium |
| Missing Authorization vulnerability in WPClever WPC Smart Wishlist for WooCommerce woo-smart-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Smart Wishlist for WooCommerce: from n/a through <= 5.0.8. | ||||
| CVE-2026-32406 | 2 Wordpress, Wpclever | 2 Wordpress, Wpc Product Bundles For Woocommerce | 2026-03-16 | 4.3 Medium |
| Missing Authorization vulnerability in WPClever WPC Product Bundles for WooCommerce woo-product-bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Product Bundles for WooCommerce: from n/a through <= 8.4.5. | ||||
| CVE-2026-32399 | 2 Davidlingren, Wordpress | 2 Media Library Assistant, Wordpress | 2026-03-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3.32. | ||||
| CVE-2026-32362 | 2 Activity-log.com, Wordpress | 2 Wp Sessions Time Monitoring Full Automatic, Wordpress | 2026-03-16 | 5.3 Medium |
| Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3. | ||||
| CVE-2016-20028 | 1 Zkteco | 1 Zkbiosecurity | 2026-03-16 | 4.3 Medium |
| ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages. | ||||
| CVE-2017-20223 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2026-03-16 | 9.8 Critical |
| Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls. | ||||
| CVE-2016-20027 | 1 Zkteco | 1 Zkbiosecurity | 2026-03-16 | 6.1 Medium |
| ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application. | ||||
| CVE-2017-20218 | 1 Serviio | 1 Serviio Pro | 2026-03-16 | 7.8 High |
| Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot. | ||||