Total
344875 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37091 | 1 Maian | 2 Support, Support Helpdesk | 2026-04-15 | 5.3 Medium |
| Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. | ||||
| CVE-2025-12457 | 2 Ideastocode, Wordpress | 2 Enable Svg, Webp & Ico Upload, Wordpress | 2026-04-15 | 6.4 Medium |
| The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2026-26370 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2026-04-15 | N/A |
| WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. | ||||
| CVE-2025-5933 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2020-37099 | 1 Disksavvy | 1 Disksavvy Enterprise | 2026-04-15 | 7.8 High |
| Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malicious executables and escalate privileges. | ||||
| CVE-2020-37101 | 2 Keepsolid, Vpnunlimitedapp | 2 Vpn Unlimited, Vpn Unlimited | 2026-04-15 | 7.8 High |
| VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\VPN Unlimited\' to replace the service executable and gain elevated system privileges. | ||||
| CVE-2025-6040 | 2026-04-15 | 6.1 Medium | ||
| The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8603 | 2026-04-15 | 6.4 Medium | ||
| The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-37108 | 1 Allhandsmarketing | 1 Phpix 2012 Professional | 2026-04-15 | 7.1 High |
| PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. | ||||
| CVE-2022-50658 | 1 Linux | 1 Linux Kernel | 2026-04-15 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix memory leak in error path If for some reason the speedbin length is incorrect, then there is a memory leak in the error path because we never free the speedbin buffer. This commit fixes the error path to always free the speedbin buffer. | ||||
| CVE-2025-24576 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Landing Page Cat landing-page-cat allows Reflected XSS.This issue affects Landing Page Cat: from n/a through <= 1.7.7. | ||||
| CVE-2024-55557 | 2026-04-15 | 9.8 Critical | ||
| ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials. | ||||
| CVE-2024-2795 | 2 Looswebstudio, Wordpress | 2 Seo Simple Pack, Wordpress | 2026-04-15 | 5.3 Medium |
| The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected posts. | ||||
| CVE-2022-50662 | 1 Linux | 1 Linux Kernel | 2026-04-15 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: fix memory leak in hns_roce_alloc_mr() When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released. Compiled test only. | ||||
| CVE-2022-50665 | 1 Linux | 1 Linux Kernel | 2026-04-15 | 7.0 High |
| In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), as below, it will not print when debug_mask is not set ATH11K_DBG_DATA. ath11k_dbg(ab, ATH11K_DBG_DATA, "failed to find the peer with peer_id %d\n", ppdu_info.peer_id); When run scan with station disconnected, the peer_id is 0 for case HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is reset to 0 in the while loop, so it does not match condition of the check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and then the log "failed to find the peer with peer_id 0" print after the check in the loop, it is below call stack when debug_mask is set ATH11K_DBG_DATA. The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv") add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in ath11k_dp_rx_process_mon_status(), but the commit does not initialize the peer_id to HAL_INVALID_PEERID, then lead the check mis-match. Callstack of the failed log: [12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k] [12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd [12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246 [12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000 [12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18 [12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000 [12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40 [12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000 [12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000 [12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0 [12335.689360] Call Trace: [12335.689377] <IRQ> [12335.689418] ? rcu_read_lock_held_common+0x12/0x50 [12335.689447] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689471] ? rcu_read_lock_held_common+0x12/0x50 [12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689653] ? lock_acquire+0xef/0x360 [12335.689681] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k] [12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689860] call_timer_fn+0xb2/0x2f0 [12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689970] run_timer_softirq+0x21f/0x540 [12335.689999] ? ktime_get+0xad/0x160 [12335.690025] ? lapic_next_deadline+0x2c/0x40 [12335.690053] ? clockevents_program_event+0x82/0x100 [12335.690093] __do_softirq+0x151/0x4a8 [12335.690135] irq_exit_rcu+0xc9/0x100 [12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0 [12335.690189] </IRQ> [12335.690204] <TASK> [12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20 Reset the default value to HAL_INVALID_PEERID each time after memset of ppdu_info as well as others memset which existed in function ath11k_dp_rx_process_mon_status(), then the failed log disappeared. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 | ||||
| CVE-2025-6193 | 1 Redhat | 1 Openshift Ai | 2026-04-15 | 5.9 Medium |
| A command injection vulnerability was discovered in the TrustyAI Explainability toolkit. Arbitrary commands placed in certain fields of a LMEValJob custom resource (CR) may be executed in the LMEvalJob pod's terminal. This issue can be exploited via a maliciously crafted LMEvalJob by a user with permissions to deploy a CR. | ||||
| CVE-2020-37011 | 1 Gnome | 2 Fonts Viewer, Gnome-font-viewer | 2026-04-15 | 7.5 High |
| Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process. | ||||
| CVE-2024-2797 | 2026-04-15 | 5.3 Medium | ||
| The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to allow lower level users to modify forms. | ||||
| CVE-2025-58951 | 2 Smartcmsmarket, Wordpress | 2 Advance Seat Reservation Management For Woocommerce, Wordpress | 2026-04-15 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1. | ||||
| CVE-2025-46185 | 1 Pgcodekeeper | 1 Pgcodekeeper | 2026-04-15 | 6.2 Medium |
| An Insecure Permission vulnerability in pgcodekeeper 10.12.0 allows a local attacker to obtain sensitive information via the plaintext storage of passwords and usernames. | ||||