Search Results (363853 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-11351 2026-04-15 5.3 Medium
The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
CVE-2024-11401 1 Rapid7 1 Insight Platform 2026-04-15 N/A
Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.
CVE-2024-11737 2026-04-15 9.8 Critical
CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device.
CVE-2024-11840 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.
CVE-2024-6188 2026-04-15 5.3 Medium
A vulnerability was found in Parsec Automation TrackSYS 11.x.x and classified as problematic. This issue affects some unknown processing of the file /TS/export/pagedefinition. The manipulation of the argument ID leads to direct request. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269159. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-9994 2026-04-15 9.8 Critical
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.
CVE-2025-41427 1 Elecom 3 Wrc-x3000gs, Wrc-x3000gsa, Wrc-x3000gsn 2026-04-15 N/A
WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.
CVE-2025-41659 1 Codesys 1 Control 2026-04-15 8.3 High
A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
CVE-2025-9996 1 Schneider-electric 1 Blmon 2026-04-15 N/A
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session.
CVE-2025-41715 2026-04-15 9.8 Critical
The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.
CVE-2024-35295 2026-04-15 6.1 Medium
A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to the device's control unit configuration. This could allow an attacker with physical access to the maintenance connection's door port to perform arbitrary configuration changes.
CVE-2025-9999 1 Arcinfo 1 Pcvue 2026-04-15 N/A
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.
CVE-2024-35297 1 Wordpress 1 Wordpress 2026-04-15 4.7 Medium
Cross-site scripting vulnerability exists in WP Booking versions prior to 2.4.5. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
CVE-2024-35298 2026-04-15 4.3 Medium
Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device. As a result, the user may become a victim of a phishing attack.
CVE-2024-35341 2026-04-15 7.5 High
Certain Anpviz products allow unauthenticated users to download the running configuration of the device via a HTTP GET request to /ConfigFile.ini or /config.xml URIs. This configuration file contains usernames and encrypted passwords (encrypted with a hardcoded key common to all devices). This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera.
CVE-2024-35515 1 Sqlitedict 1 Sqlitedict 2026-04-15 9.8 Critical
Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.
CVE-2024-35548 2026-04-15 5.4 Medium
A SQL injection vulnerability in Mybatis plus versions below 3.5.6 allows remote attackers to obtain database information via a Boolean blind injection. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.
CVE-2025-53882 1 Suse 1 Opensuse Tumbleweed 2026-04-15 4.4 Medium
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
CVE-2025-54296 2026-04-15 N/A
A stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla was discovered.
CVE-2024-35636 2026-04-15 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Uploadcare Uploadcare File Uploader and Adaptive Delivery (beta) uploadcare.This issue affects Uploadcare File Uploader and Adaptive Delivery (beta): from n/a through 3.0.11.