Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,798
Quick preset (or use dates below)
Clear Filters
Showing 10,401 - 10,420 of 14,604 CVEs
CVE-2018-25190 MEDIUM - 5.3

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username, passw...

Vendor: Sourceforge
Product: Easyndexer
Published: Mar 06, 2026
Source: NVD
CVE-2018-25186 MEDIUM - 5.3

Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can craft HTML forms targeting the /kim/profile endpoint with hidden fields containing malicious user dat...

Vendor: Tina4
Product: Tina4 Stack
Published: Mar 06, 2026
Source: NVD
CVE-2018-25184 MEDIUM - 6.2

Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. Attackers can supply directory traversal sequences through the content parameter in index.php to access sensitive system files like ...

Vendor: Getsurreal
Product: Surreal ToDo
Published: Mar 06, 2026
Source: NVD
CVE-2018-25177 MEDIUM - 5.3

Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. Attackers can send requests to dca_resetpw.php with parameters updateuser, pass, pass2, and submit_reset to c...

Vendor: Sourceforge
Product: Data Center Audit
Published: Mar 06, 2026
Source: NVD
CVE-2018-25174 MEDIUM - 5.3

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and ...

Vendor: Abc-Erp
Product: ABC ERP
Published: Mar 06, 2026
Source: NVD
CVE-2018-25168 MEDIUM - 4.3

Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. Attackers can forge requests to the /public/admin/user/submitnew endpoint with user creation parameters t...

Vendor: Precurio
Product: Precurio Intranet Portal
Published: Mar 06, 2026
Source: NVD
CVE-2018-25162 MEDIUM - 6.5

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files dire...

Vendor: 2-Plan
Product: Plan Team
Published: Mar 06, 2026
Source: NVD
CVE-2026-28106 MEDIUM - 4.7

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugins B2BKing Premium allows Phishing.This issue affects B2BKing Premium: from n/a through 5.3.80.

Vendor: Kings Plugins
Product: B2BKing Premium
Published: Mar 06, 2026
Source: NVD
CVE-2026-28080 MEDIUM - 4.3

Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO PRO: from n/a through 3.0.95.

Vendor: Rank Math
Product: Rank Math SEO PRO
Published: Mar 06, 2026
Source: NVD
CVE-2024-35644 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2.

Vendor: Pascal Birchler
Product: Preferred Languages
Published: Mar 06, 2026
Source: NVD
CVE-2026-2830 MEDIUM - 6.1

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it p...

Published: Mar 06, 2026
Source: NVD
CVE-2026-29049 MEDIUM - 4.3

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can caus...

Vendor: chainguard-dev
Product: melange
Published: Mar 06, 2026
Source: NVD
CVE-2026-29048 MEDIUM - 6.1

HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the con...

Vendor: humhub
Product: humhub
Published: Mar 06, 2026
Source: NVD
CVE-2026-28804 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.

Vendor: py-pdf
Product: pypdf
Published: Mar 06, 2026
Source: NVD
CVE-2026-28801 MEDIUM - 6.6

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is executed by the macro. Since users commonly share path/pattern files, an attacker could share a file containing malicious code, which is t...

Vendor: NatroTeam
Product: NatroMacro
Published: Mar 06, 2026
Source: NVD
CVE-2026-28800 MEDIUM - 6.4

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with the permission to send message in said channel access to do anything on their computer. This include...

Vendor: NatroTeam
Product: NatroMacro
Published: Mar 06, 2026
Source: NVD
CVE-2026-1128 MEDIUM - 4.3

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

Published: Mar 06, 2026
Source: NVD
CVE-2026-28675 MEDIUM - 5.3

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Additionally, login token material was exposed in UI/rendered responses and token rotation output. This issu...

Vendor: OpenSift
Product: OpenSift
Published: Mar 06, 2026
Source: NVD
CVE-2026-28509 MEDIUM - 6.3

LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7.

Vendor: langbot-app
Product: LangBot
Published: Mar 06, 2026
Source: NVD
CVE-2026-28428 MEDIUM - 5.3

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — b...

Vendor: Talishar
Product: Talishar
Published: Mar 06, 2026
Source: NVD