Export limit exceeded: 17428 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 74856 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (74856 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33572 | 1 Openclaw | 1 Openclaw | 2026-04-01 | 8.4 High |
| OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output. | ||||
| CVE-2026-32974 | 1 Openclaw | 1 Openclaw | 2026-04-01 | 8.6 High |
| OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint. | ||||
| CVE-2025-70029 | 2 Sunbird, Sunbird-ed | 2 Sunbirded-portal, Sunbirded-portal | 2026-04-01 | 7.5 High |
| An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options | ||||
| CVE-2026-31958 | 1 Tornadoweb | 1 Tornado | 2026-04-01 | 7.5 High |
| Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5. | ||||
| CVE-2026-28133 | 2 Wordpress, Wp Chill | 2 Wordpress, Filr | 2026-04-01 | 8.1 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14. | ||||
| CVE-2026-27750 | 2 Avira, Gen Digital | 3 Avira Internet Security Suite, Internet Security, Avira Internet Security | 2026-04-01 | 7.8 High |
| Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target. | ||||
| CVE-2026-27749 | 2 Avira, Gen Digital | 3 Avira Internet Security Suite, Internet Security, Avira Internet Security | 2026-04-01 | 7.8 High |
| Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM. | ||||
| CVE-2026-27748 | 2 Avira, Gen Digital | 3 Avira Internet Security Suite, Internet Security, Avira Internet Security | 2026-04-01 | 7.8 High |
| Avira Internet Security contains an improper link resolution vulnerability in the Software Updater component. During the update process, a privileged service running as SYSTEM deletes a file under C:\\ProgramData without validating whether the path resolves through a symbolic link or reparse point. A local attacker can create a malicious link to redirect the delete operation to an arbitrary file, resulting in deletion of attacker-chosen files with SYSTEM privileges. This may lead to local privilege escalation, denial of service, or system integrity compromise depending on the targeted file and operating system configuration. | ||||
| CVE-2026-25418 | 2 Bitpressadmin, Wordpress | 2 Bit Form, Wordpress | 2026-04-01 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Apps Bit Form bit-form allows SQL Injection.This issue affects Bit Form: from n/a through <= 2.21.10. | ||||
| CVE-2026-24572 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 8.8 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.2.0. | ||||
| CVE-2026-24538 | 2 Omnipressteam, Wordpress | 2 Omnipress, Wordpress | 2026-04-01 | 7.6 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.7. | ||||
| CVE-2026-24524 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 8.1 High |
| Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.2.6. | ||||
| CVE-2026-22479 | 2 Themeruby, Wordpress | 2 Easy Post Submission, Wordpress | 2026-04-01 | 7.5 High |
| Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.4.0. | ||||
| CVE-2026-22460 | 2 Wordpress, Wpwax | 2 Wordpress, Formgent | 2026-04-01 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax FormGent formgent allows Path Traversal.This issue affects FormGent: from n/a through <= 1.5.6. | ||||
| CVE-2026-22416 | 2 Ancorathemes, Wordpress | 2 Fixteam, Wordpress | 2026-04-01 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes FixTeam fixteam allows PHP Local File Inclusion.This issue affects FixTeam: from n/a through <= 1.5.0. | ||||
| CVE-2026-22357 | 2 Spencer Haws, Wordpress | 2 Link Whisper Free, Wordpress | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.9.2. | ||||
| CVE-2025-69394 | 2 Cnvrse, Wordpress | 2 Cnvrse, Wordpress | 2026-04-01 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through < 026.02.10.20. | ||||
| CVE-2025-68989 | 2 Renzojohnson, Wordpress | 2 Contact Form 7 Extension For Mailchimp, Wordpress | 2026-04-01 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson contact-form-7-mailchimp-extension contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects contact-form-7-mailchimp-extension: from n/a through <= 0.9.68. | ||||
| CVE-2025-68988 | 2 O2oe, Wordpress | 2 E-invoice App Malaysia, Wordpress | 2026-04-01 | 7.5 High |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data.This issue affects E-Invoice App Malaysia: from n/a through <= 1.3.0. | ||||
| CVE-2025-68887 | 2 Cmsjunkie, Wordpress | 2 J-businessdirectory, Wordpress | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 4.0.1. | ||||