Export limit exceeded: 23476 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 26069 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (26069 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14075 | 2 Thimpress, Wordpress | 2 Wp Hotel Booking, Wordpress | 2026-04-22 | 5.3 Medium |
| The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | ||||
| CVE-2025-6461 | 2 Cubewp, Wordpress | 2 Cubewp, Wordpress | 2026-04-22 | 4.3 Medium |
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-15482 | 2 Chapaet, Wordpress | 2 Chapa Payment Gateway Plugin For Woocommerce, Wordpress | 2026-04-22 | 5.3 Medium |
| The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key. | ||||
| CVE-2009-2055 | 1 Cisco | 1 Ios Xr | 2026-04-22 | 5.9 Medium |
| Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute, as demonstrated in the wild on 17 August 2009. | ||||
| CVE-2026-6782 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 7.5 High |
| Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6779 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 5.3 Medium |
| Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||||
| CVE-2026-6770 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | 6.5 Medium |
| Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | ||||
| CVE-2025-4593 | 2026-04-22 | 6.5 Medium | ||
| The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more. | ||||
| CVE-2015-5317 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2026-04-22 | 7.5 High |
| The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request. | ||||
| CVE-2016-3715 | 6 Canonical, Imagemagick, Opensuse and 3 more | 31 Ubuntu Linux, Imagemagick, Leap and 28 more | 2026-04-22 | 5.5 Medium |
| The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. | ||||
| CVE-2025-9808 | 2 Theeventscalendar, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-22 | 5.3 Medium |
| The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues. | ||||
| CVE-2017-15944 | 1 Paloaltonetworks | 1 Pan-os | 2026-04-22 | 9.8 Critical |
| Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface. | ||||
| CVE-2009-0927 | 2 Adobe, Redhat | 2 Acrobat Reader, Rhel Extras | 2026-04-22 | 8.8 High |
| Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658. | ||||
| CVE-2013-7331 | 1 Microsoft | 10 Internet Explorer, Windows 7, Windows 8 and 7 more | 2026-04-22 | 6.5 Medium |
| The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014. | ||||
| CVE-2013-6282 | 1 Linux | 1 Linux Kernel | 2026-04-22 | 8.8 High |
| The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013. | ||||
| CVE-2017-0148 | 2 Microsoft, Siemens | 27 Server Message Block, Windows 10 1507, Windows 10 1511 and 24 more | 2026-04-22 | 8.1 High |
| The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146. | ||||
| CVE-2015-2291 | 2 Intel, Microsoft | 3 Ethernet Diagnostics Driver Iqvw32.sys, Ethernet Diagnostics Driver Iqvw64.sys, Windows | 2026-04-22 | 7.8 High |
| (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call. | ||||
| CVE-2025-0318 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-22 | 5.3 Medium |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table. | ||||
| CVE-2025-12010 | 2 Wordpress, Wpkube | 2 Wordpress, Authors List | 2026-04-22 | 6.5 Medium |
| The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes | ||||
| CVE-2025-12408 | 2 Netweblogic, Wordpress | 2 Events Manager, Wordpress | 2026-04-22 | 5.3 Medium |
| The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to. | ||||