Export limit exceeded: 328206 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (328206 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50864 | 2026-01-26 | 6.5 Medium | ||
| An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation. | ||||
| CVE-2024-41358 | 1 Phpipam | 1 Phpipam | 2026-01-26 | 6.1 Medium |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php. | ||||
| CVE-2024-41349 | 1 Unmark | 1 Unmark | 2026-01-26 | 6.1 Medium |
| unmark 1.9.2 is vulnerable to Cross Site Scripting (XSS) via application/views/marks/add_by_url.php. | ||||
| CVE-2024-41348 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/alsearch.php | ||||
| CVE-2024-41347 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/settings.php | ||||
| CVE-2024-41346 | 1 Jpatokal | 1 Openflights | 2026-01-26 | 6.1 Medium |
| openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/submit.php | ||||
| CVE-2021-47755 | 1 Softlinkint | 2 Oliver Library Server, Oliver V5 Library | 2026-01-26 | 7.5 High |
| Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from the server's filesystem. | ||||
| CVE-2021-47754 | 1 Arunna | 1 Arunna | 2026-01-26 | 6.5 Medium |
| Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | ||||
| CVE-2018-25149 | 1 Microhardcorp | 22 Bullet-3g, Bullet-3g Firmware, Bullet-lte and 19 more | 2026-01-26 | 6.5 Medium |
| Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page. | ||||
| CVE-2025-8460 | 1 Centreon | 2 Centreon, Open Tickets | 2026-01-26 | 6.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | ||||
| CVE-2024-54123 | 1 Backdropcms | 1 Backdrop | 2026-01-26 | 6.1 Medium |
| Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format. | ||||
| CVE-2026-1257 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 7.5 High |
| The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | ||||
| CVE-2025-14903 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.3 Medium |
| The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1070 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.3 Medium |
| The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-0807 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 7.2 High |
| The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. | ||||
| CVE-2025-12836 | 2 Vektor, Wordpress | 2 Vk Google Job Posting Manager, Wordpress | 2026-01-26 | 6.4 Medium |
| The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14906 | 2 Waqasvickey0071, Wordpress | 2 Wp Youtube Video Gallery, Wordpress | 2026-01-26 | 4.3 Medium |
| The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1076 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.3 Medium |
| The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13374 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 9.8 Critical |
| The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2026-0806 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.9 Medium |
| The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||