Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,679
Quick preset (or use dates below)
Clear Filters
Showing 9,561 - 9,580 of 14,430 CVEs
CVE-2015-20119 MEDIUM - 6.4

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with cra...

Vendor: Next Click Ventures
Product: RealtyScript
Published: Mar 16, 2026
Source: NVD
CVE-2015-20117 MEDIUM - 5.3

Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create unauthorized user accounts and administrative users by crafting malicious forms. Attackers can submit hidden form data to /admin/addusers.php and /admin/editadmi...

Vendor: Next Click Ventures
Product: RealtyScript
Published: Mar 16, 2026
Source: NVD
CVE-2015-20116 MEDIUM - 6.1

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' bro...

Vendor: Next Click Ventures
Product: RealtyScript
Published: Mar 16, 2026
Source: NVD
CVE-2015-20114 MEDIUM - 6.1

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads in...

Vendor: Next Click Ventuers
Product: RealtyScript
Published: Mar 16, 2026
Source: NVD
CVE-2015-20113 MEDIUM - 5.3

Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in...

Vendor: Next Click Ventuers
Product: RealtyScript
Published: Mar 16, 2026
Source: NVD
CVE-2013-20005 MEDIUM - 5.3

Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email,...

Vendor: Qool
Product: Qool CMS
Published: Mar 16, 2026
Source: NVD
CVE-2026-32704 MEDIUM - 6.5

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This v...

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: Mar 13, 2026
Source: GitHub
CVE-2026-32630 MEDIUM - 5.3

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream...

Vendor: npm
Product: file-type
Published: Mar 13, 2026
Source: GitHub
CVE-2026-32594 MEDIUM - 7.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control...

Vendor: npm
Product: parse-server
Published: Mar 13, 2026
Source: GitHub
CVE-2026-4105 MEDIUM - 6.7

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a s...

Published: Mar 13, 2026
Source: NVD
CVE-2026-4063 MEDIUM - 4.3

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() a...

Published: Mar 13, 2026
Source: NVD
CVE-2026-3986 MEDIUM - 6.4

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` fiel...

Published: Mar 13, 2026
Source: NVD
CVE-2026-32745 MEDIUM - 6.3

In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings

Vendor: JetBrains
Product: Datalore
Published: Mar 13, 2026
Source: NVD
CVE-2026-32612 MEDIUM - 5.4

Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Thi...

Vendor: statamic
Product: cms
Published: Mar 13, 2026
Source: NVD
CVE-2026-32598 MEDIUM - 6.5

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL โ€” containing the plaintext reset token โ€” at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggre...

Vendor: OneUptime
Product: oneuptime
Published: Mar 13, 2026
Source: NVD
CVE-2026-32543 MEDIUM - 5.3

Missing Authorization vulnerability in CyberChimps Responsive Blocks responsive-block-editor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Blocks: from n/a through <= 2.2.0.

Vendor: CyberChimps
Product: Responsive Blocks
Published: Mar 13, 2026
Source: NVD
CVE-2026-32487 MEDIUM - 5.3

Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through <= 1.2.7.

Vendor: raratheme
Product: Lawyer Landing Page
Published: Mar 13, 2026
Source: NVD
CVE-2026-32486 MEDIUM - 5.3

Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.

Vendor: wptravelengine
Product: Travel Booking
Published: Mar 13, 2026
Source: NVD
CVE-2026-32462 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.

Vendor: Liton Arefin
Product: Master Addons for Elementor
Published: Mar 13, 2026
Source: NVD
CVE-2026-32461 MEDIUM - 5.3

Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n/a through <= 9.5.7.

Vendor: Really Simple Plugins
Product: Really Simple SSL
Published: Mar 13, 2026
Source: NVD