Search Results (7020 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-33252 2 Lfprojects, Modelcontextprotocol 2 Mcp Go Sdk, Go-sdk 2026-04-15 7.1 High
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
CVE-2025-70844 1 Kantorge 1 Yaffa 2026-04-15 6.1 Medium
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page.
CVE-2026-31040 2 Sepinetam, Statamcp 2 Stata-mcp, Stata-mcp 2026-04-15 9.8 Critical
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
CVE-2026-1516 1 Gitlab 1 Gitlab 2026-04-15 5.7 Medium
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
CVE-2025-15488 2 Responsive, Wordpress 2 Responsive Menu, Wordpress 2026-04-15 6.5 Medium
The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.
CVE-2026-1540 2 Spam Protect For Contact Form 7, Wordpress 2 Spam Protect For Contact Form 7, Wordpress 2026-04-15 7.2 High
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
CVE-2019-25468 1 Netgain Systems 1 Netgain Em Plus 2026-04-15 9.8 Critical
NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output.
CVE-2026-2287 1 Crewai 1 Crewai 2026-04-15 9.8 Critical
CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.
CVE-2024-4261 2026-04-15 5.4 Medium
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.
CVE-2025-41010 1 Hiberus 1 Sintra 2026-04-15 N/A
Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.
CVE-2024-37855 1 Nepstech 1 Ntpl-xpon1gfevn Firmware 2026-04-15 8.4 High
An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials.
CVE-2020-37186 1 Chevereto 1 Chevereto 2026-04-15 9.8 Critical
Chevereto 3.13.4 Core contains a remote code execution vulnerability that allows attackers to inject malicious code during database configuration installation. Attackers can manipulate the database table prefix parameter to write a PHP shell file and execute arbitrary system commands through a crafted POST request.
CVE-2025-41243 1 Spring 2 Spring, Webflux 2026-04-15 10 Critical
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.
CVE-2025-8834 1 Jcg 1 Link-net 2026-04-15 2.4 Low
A vulnerability has been found in JCG Link-net LW-N915R 17s.20.001.908. Affected is an unknown function of the file /wireless/basic.asp of the component Wireless Basic Settings Page. The manipulation of the argument Network Name leads to cross site scripting. It is possible to launch the attack remotely.
CVE-2024-30567 2026-04-15 6.3 Medium
An issue in JNT Telecom JNT Liftcom UMS V1.J Core Version JM-V15 allows a remote attacker to execute arbitrary code via the Network Troubleshooting functionality.
CVE-2025-59952 1 Minio 1 Minio 2026-04-15 7.5 High
MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0.
CVE-2025-41366 2026-04-15 N/A
In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can only be executed with permissions higher than the view permission.
CVE-2024-28886 2026-04-15 8.4 High
OS command injection vulnerability exists in UTAU versions prior to v0.4.19. If a user of the product opens a crafted UTAU project file (.ust file), an arbitrary OS command may be executed.
CVE-2025-4261 2026-04-15 5.3 Medium
A vulnerability was found in GAIR-NLP factool up to 3f3914bc090b644be044b7e0005113c135d8b20f. It has been classified as critical. This affects the function run_single of the file factool/factool/math/tool.py. The manipulation leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
CVE-2024-13806 2 Wordpress, Wpkube 2 Wordpress, Authors List 2026-04-15 6.5 Medium
The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.