Total
88444 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-43861 | 2025-04-29 | N/A | 4.4 MEDIUM | ||
| ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc. | |||||
| CVE-2025-46495 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps allows Stored XSS. This issue affects Drop Caps: from n/a through 2.1. | |||||
| CVE-2025-46451 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Floating Social Bar allows Stored XSS. This issue affects Floating Social Bar: from n/a through 1.1.7. | |||||
| CVE-2025-46479 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevynCJohnson BBCode Deluxe allows DOM-Based XSS. This issue affects BBCode Deluxe: from n/a through 2020.08.01.2. | |||||
| CVE-2022-44759 | 2025-04-29 | N/A | 4.6 MEDIUM | ||
| Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications. | |||||
| CVE-2025-46491 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew Muro Multi-Column Taxonomy List allows Stored XSS. This issue affects Multi-Column Taxonomy List: from n/a through 1.5. | |||||
| CVE-2025-46525 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in msmitley WP Cookie Consent allows Stored XSS. This issue affects WP Cookie Consent: from n/a through 1.0. | |||||
| CVE-2025-39404 | 2025-04-29 | N/A | 4.7 MEDIUM | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Heateor Support Sassy Social Share allows Phishing. This issue affects Sassy Social Share: from n/a through 3.3.73. | |||||
| CVE-2025-3634 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
| A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes. | |||||
| CVE-2025-46459 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ralf Hortt Confirm User Registration allows Stored XSS. This issue affects Confirm User Registration: from n/a through 2.1.5. | |||||
| CVE-2025-3861 | 2025-04-29 | N/A | 5.4 MEDIUM | ||
| The Prevent Direct Access â Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media. | |||||
| CVE-2025-46433 | 2025-04-29 | N/A | 4.9 MEDIUM | ||
| In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible | |||||
| CVE-2025-46461 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Relentless Apps RRSSB allows DOM-Based XSS. This issue affects RRSSB: from n/a through 1.0.1. | |||||
| CVE-2025-3645 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
| A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. | |||||
| CVE-2025-3636 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
| A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks. | |||||
| CVE-2025-46533 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdrift.no Landing pages and Domain aliases for WordPress allows Stored XSS. This issue affects Landing pages and Domain aliases for WordPress: from n/a through 0.8. | |||||
| CVE-2025-46599 | 2025-04-29 | N/A | 6.8 MEDIUM | ||
| CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials. | |||||
| CVE-2025-46467 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K⢠RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2. | |||||
| CVE-2025-46595 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
| An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format. | |||||
| CVE-2025-3912 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
| The WS Form LITE â Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services. | |||||