Total
412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32078 | 2026-04-15 | N/A | N/A | ||
| Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43. | |||||
| CVE-2025-1308 | 2026-04-15 | N/A | N/A | ||
| A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions. | |||||
| CVE-2026-23880 | 2026-04-15 | N/A | 7.3 HIGH | ||
| OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. | |||||
| CVE-2025-55903 | 2026-04-15 | N/A | 8.3 HIGH | ||
| A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents. | |||||
| CVE-2025-46583 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| There is a Denial of Service(DoS)vulnerability in the ZTE MC889A Pro product. Due to insufficient validation of the input parameters of the Short Message Service interface, allowing an attacker to exploit it to carry out a DoS attack. | |||||
| CVE-2024-46547 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A vulnerability was found in Romain Bourdon Wampserver all versions (discovered in v3.2.3 and v3.2.6) where unauthorized users could access sensitive information due to improper access control validation via PHP Info Page. This issue can lead to data leaks. | |||||
| CVE-2023-45359 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup. | |||||
| CVE-2024-27629 | 2026-04-15 | N/A | 7.8 HIGH | ||
| An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of compression are used. | |||||
| CVE-2025-61084 | 2026-04-15 | N/A | 7.1 HIGH | ||
| MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing even when anti-spoofing protections are in place. NOTE: this is disputed by the Supplier because UI spoofing occurs in a client, not in a server such as MDaemon's product or any other server implementation. Also, if a client without its own spoofing protection must be used, the Header Screening feature in MDaemon's product can be employed to mitigate the client-side vulnerability. | |||||
| CVE-2025-8276 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Patika Global Technologies HumanSuite allows Cross-Site Scripting (XSS), Phishing.This issue affects HumanSuite: before 53.21.0. | |||||
| CVE-2025-1795 | 2026-04-15 | N/A | N/A | ||
| During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers. | |||||
| CVE-2025-0607 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Improper Encoding or Escaping of Output vulnerability in Logo Software Inc. Logo Cloud allows Phishing.This issue affects Logo Cloud: before 2.57. | |||||
| CVE-2025-61773 | 2026-04-15 | N/A | 8.1 HIGH | ||
| pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue. | |||||
| CVE-2023-28362 | 2026-04-15 | N/A | 4.0 MEDIUM | ||
| The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | |||||
| CVE-2025-34141 | 2026-04-15 | N/A | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1. | |||||
| CVE-2025-49013 | 2026-04-15 | N/A | 9.9 CRITICAL | ||
| WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows. | |||||
| CVE-2025-42896 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability. | |||||
| CVE-2025-55729 | 2026-04-15 | N/A | 10.0 CRITICAL | ||
| XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue. | |||||
| CVE-2025-24338 | 2026-04-15 | N/A | 7.1 HIGH | ||
| A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests. | |||||
| CVE-2025-59936 | 2026-04-15 | N/A | 9.4 CRITICAL | ||
| get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted iss value. The vulnerability will work only if the iss validation is done after the use of get-jwks for keys retrieval. This issue has been patched in version 11.0.2. | |||||