Export limit exceeded: 12060 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12060 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50483 | 2 Meetup, Tareqhasan | 2 Meetup, Meetup | 2026-04-23 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in Tareq Hasan Meetup meetup allows Privilege Escalation.This issue affects Meetup: from n/a through <= 0.1. | ||||
| CVE-2024-50463 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2026-04-23 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.This issue affects Sunshine Photo Cart: from n/a through <= 3.2.9. | ||||
| CVE-2024-50442 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2026-04-23 | 6.5 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through <= 1.3.980. | ||||
| CVE-2024-49682 | 1 Simple-membership-plugin | 1 Simple Membership | 2026-04-23 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in wp.insider Simple Membership simple-membership allows Phishing.This issue affects Simple Membership: from n/a through <= 4.5.3. | ||||
| CVE-2024-47648 | 1 Theeventprime | 1 Eventprime | 2026-04-23 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Metagauss EventPrime eventprime-event-calendar-management.This issue affects EventPrime: from n/a through <= 4.0.4.5. | ||||
| CVE-2024-47646 | 2026-04-23 | 4.7 Medium | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in tomlister Payflex Payment Gateway payflex-payment-gateway.This issue affects Payflex Payment Gateway: from n/a through <= 2.6.1. | ||||
| CVE-2024-47354 | 2026-04-23 | 4.7 Medium | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in wp.insider Simple Membership After Login Redirection simple-membership-after-login-redirection.This issue affects Simple Membership After Login Redirection: from n/a through <= 1.6. | ||||
| CVE-2024-47353 | 1 Quomodosoft | 1 Elementsready | 2026-04-23 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in quomodosoft ElementsReady Addons for Elementor element-ready-lite.This issue affects ElementsReady Addons for Elementor: from n/a through 6.4.2. | ||||
| CVE-2024-47316 | 1 Salonbookingsystem | 1 Salon Booking System | 2026-04-23 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Dimitri Grassi Salon booking system salon-booking-system.This issue affects Salon booking system: from n/a through <= 10.9. | ||||
| CVE-2024-43266 | 1 Wpjobportal | 1 Wp Job Portal | 2026-04-23 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal.This issue affects WP Job Portal: from n/a through <= 2.1.8. | ||||
| CVE-2024-43239 | 1 Masteriyo | 1 Masteriyo | 2026-04-23 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.11.4. | ||||
| CVE-2026-30459 | 2 Daylightstudio, Thedaylightstudio | 2 Fuel Cms, Fuel Cms | 2026-04-23 | 7.1 High |
| An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | ||||
| CVE-2026-33149 | 2 Tandoor, Tandoorrecipes | 2 Recipes, Recipes | 2026-04-23 | 8.1 High |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available. | ||||
| CVE-2026-22735 | 2 Spring, Vmware | 2 Spring Foundation, Spring Framework | 2026-04-23 | 2.6 Low |
| Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. | ||||
| CVE-2026-34454 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-23 | 3.5 Low |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2 | ||||
| CVE-2026-0971 | 1 Fortra | 2 Goanywhere Managed File Transfer, Goanywhere Mft | 2026-04-23 | 4.3 Medium |
| An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page. | ||||
| CVE-2024-58087 | 1 Linux | 1 Linux Kernel | 2026-04-23 | 8.1 High |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue from session lookup and expire Increment the session reference count within the lock for lookup to avoid racy issue with session expire. | ||||
| CVE-2026-40896 | 2 Openproject, Opf | 2 Openproject, Openproject | 2026-04-23 | 6.5 Medium |
| OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue. | ||||
| CVE-2006-6811 | 2 Canonical, Kde | 2 Ubuntu Linux, Ksirc | 2026-04-23 | 6.5 Medium |
| KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow. | ||||
| CVE-2009-0935 | 1 Linux | 1 Linux Kernel | 2026-04-23 | 5.5 Medium |
| The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6.28 to 2.6.28.2, and 2.6.29-rc3 allows local users to cause a denial of service (OOPS) via a read with an invalid address to an inotify instance, which causes the device's event list mutex to be unlocked twice and prevents proper synchronization of a data structure for the inotify instance. | ||||