CVE List - 2025 / April
Showing 2301 - 2400 of 4033 CVEs for April 2025 (Page 24 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-26908 | 2025-04-15 | WordPress Kargo Entegratör plugin <= 1.1.14 - SQL Injection vulnerability |
| CVE-2025-26919 | 2025-04-15 | WordPress Tainá plugin <= 0.2.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26927 | 2025-04-15 | WordPress AI Hub plugin <= 1.3.3 - Arbitrary File Upload vulnerability |
| CVE-2025-26930 | 2025-04-15 | WordPress Home Services plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26934 | 2025-04-15 | WordPress Glossy Blog theme <= 1.0.3 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26950 | 2025-04-15 | WordPress Nepali Date Converter plugin <= 2.0.8 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26951 | 2025-04-15 | WordPress C9 Blocks plugin <= 1.7.7 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26953 | 2025-04-15 | WordPress JetMenu <= 2.4.9 - Broken Access Control Vulnerability |
| CVE-2025-26996 | 2025-04-15 | WordPress Sign-up Sheets plugin <= 2.3.0.1 - Shortcode Injection vulnerability |
| CVE-2025-30257 | 2025-04-15 | Growatt Cloud portal Authorization Bypass Through User-Controlled Key |
| CVE-2025-26998 | 2025-04-15 | WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-27008 | 2025-04-15 | WordPress Unlimited Timeline < 1.6.1 - Broken Access Control Vulnerability |
| CVE-2025-27011 | 2025-04-15 | WordPress Booking and Rental Manager plugin <= 2.2.8 - Local File Inclusion vulnerability |
| CVE-2025-30966 | 2025-04-15 | WordPress WPJobBoard plugin < 5.11.1 - Path Traversal vulnerability |
| CVE-2025-30967 | 2025-04-15 | WordPress WPJobBoard plugin < 5.11.1 - CSRF to Remote Code Execution (RCE) vulnerability |
| CVE-2025-30970 | 2025-04-15 | WordPress Easy Contact plugin <= 0.1.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-30982 | 2025-04-15 | WordPress MyBookProgress by Stormhill Media plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-30984 | 2025-04-15 | WordPress SEO Tools plugin <= 4.0.7 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-32923 | 2025-04-15 | WordPress Tourmaster plugin < 5.4.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-27561 | 2025-04-15 | Growatt Cloud portal Authorization Bypass Through User-Controlled Key |
| CVE-2025-32784 | 2025-04-15 | conda-forge-webservices has an Unauthorized Artifact Modification Race Condition |
| CVE-2025-24315 | 2025-04-15 | Growatt Cloud portal Authorization Bypass Through User-Controlled Key |
| CVE-2025-27929 | 2025-04-15 | Growatt Cloud portal Authorization Bypass Through User-Controlled Key |
| CVE-2025-32782 | 2025-04-15 | Ash Authentication email link auto-click account confirmation vulnerability |
| CVE-2025-32435 | 2025-04-15 | Hydra no restricted eval after nix-eval-jobs migration |
| CVE-2025-32388 | 2025-04-15 | SvelteKit allows XSS via tracked search_params |
| CVE-2025-32385 | 2025-04-15 | EspoCRM allows unrestricted Embedding in Iframe dashlet |
| CVE-2025-30215 | 2025-04-15 | NATS-Server Fails to Authorize Certain Jetstream Admin APIs |
| CVE-2024-40068 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at id_generator/admin/?page=templates/manage_template&id=1. |
| CVE-2024-40069 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain Stored Cross Site Scripting (XSS) via id_generator/classes/Users.php?f=save, and the point of vulnerability is in the POST parameter 'firstname' and 'lastname'. |
| CVE-2024-40070 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/Users.php?f=save. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. |
| CVE-2024-40071 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. |
| CVE-2024-40072 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at id_generator/admin/?page=generate/index&id=1. |
| CVE-2024-40073 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the template parameter at id_generator/admin/?page=generate&template=4. |
| CVE-2024-40074 | 2025-04-16 | Sourcecodester Online ID Generator System 1.0 was discovered to contain Stored Cross Site Scripting (XSS) via id_generator/classes/SystemSettings.php?f=update_settings, and the point of vulnerability is in the POST parameter 'short_name'. |
| CVE-2024-53303 | 2025-04-16 | A remote code execution (RCE) vulnerability in the upload_file function of LRQA Nettitude PoshC2 after commit 123db87 allows authenticated attackers to execute arbitrary code via a crafted POST request. |
| CVE-2024-53304 | 2025-04-16 | An issue in LRQA Nettitude PoshC2 after commit 09ee2cf allows unauthenticated attackers to connect to the C2 server and execute arbitrary commands via posing as an infected machine. |
| CVE-2024-53305 | 2025-04-16 | An issue in the component /models/config.py of Whoogle search v0.9.0 allows attackers to execute arbitrary code via supplying a crafted search query. |
| CVE-2024-55371 | 2025-04-16 | Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP... |
| CVE-2024-55372 | 2025-04-16 | Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file... |
| CVE-2024-58248 | 2025-04-16 | nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards. |
| CVE-2024-58249 | 2025-04-16 | In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. |
| CVE-2025-26153 | 2025-04-16 | A Stored XSS vulnerability exists in the message compose feature of Chamilo LMS 1.11.28. Attackers can inject malicious scripts into messages, which execute when victims, such as administrators, reply to... |
| CVE-2025-28072 | 2025-04-16 | PHPGurukul Pre-School Enrollment System is vulnerable to Directory Traversal in manage-teachers.php. |
| CVE-2025-29708 | 2025-04-16 | SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services. |
| CVE-2025-29709 | 2025-04-16 | SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio. |
| CVE-2025-29710 | 2025-04-16 | SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services. |
| CVE-2025-43703 | 2025-04-16 | An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of... |
| CVE-2025-43704 | 2025-04-16 | Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server. |
| CVE-2025-30100 | 2025-04-16 | Dell Alienware Command Center 6.x, versions prior to 6.7.37.0 contain an Improper Access Control Vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation... |
| CVE-2025-2314 | 2025-04-16 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-13452 | 2025-04-16 | Contact Form by Supsystic <= 1.7.29 - Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action |
| CVE-2025-3698 | 2025-04-16 | Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk. |
| CVE-2025-3663 | 2025-04-16 | TOTOLINK A3700R Password cstecgi.cgi setWiFiEasyGuestCfg access control |
| CVE-2025-3664 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg access control |
| CVE-2025-3665 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setSmartQosCfg access control |
| CVE-2025-3495 | 2025-04-16 | COMMGR - Insufficient Randomization Authentication Bypass |
| CVE-2025-3666 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setDdnsCfg access control |
| CVE-2025-3667 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setUPnPCfg access control |
| CVE-2025-3668 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setScheduleCfg access control |
| CVE-2025-22018 | 2025-04-16 | atm: Fix NULL pointer dereference |
| CVE-2025-3247 | 2025-04-16 | Contact Form 7 <= 6.0.5 - Order Replay Vulnerability |
| CVE-2024-10680 | 2025-04-16 | Form Maker by 10Web < 1.15.32 - Admin+ Stored XSS |
| CVE-2025-3674 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setUrlFilterRules access control |
| CVE-2025-3675 | 2025-04-16 | TOTOLINK A3700R cstecgi.cgi setL2tpServerCfg access control |
| CVE-2025-0101 | 2025-04-16 | WAGO: Year 2038 problem |
| CVE-2025-3077 | 2025-04-16 | Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-24839 | 2025-04-16 | Unauthorized AI bot activation via Wrangler plugin |
| CVE-2025-27538 | 2025-04-16 | MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users |
| CVE-2025-27571 | 2025-04-16 | Channel metadata visible in archived channels despite configuration setting |
| CVE-2025-3676 | 2025-04-16 | xxyopen Novel-Plus books sql injection |
| CVE-2025-3104 | 2025-04-16 | WP Staging Pro <= 6.1.2 - Unauthenticated Information Exposure via getOutdatedPluginsRequest Function |
| CVE-2025-3677 | 2025-04-16 | lm-sys fastchat apply_delta.py apply_delta_low_cpu_mem deserialization |
| CVE-2024-52281 | 2025-04-16 | Stored Cross-site Scripting vulnerability in Rancher UI |
| CVE-2024-22036 | 2025-04-16 | Rancher Remote Code Execution via Cluster/Node Drivers |
| CVE-2023-32197 | 2025-04-16 | Rancher's External RoleTemplates can lead to privilege escalation |
| CVE-2025-3678 | 2025-04-16 | PCMan FTP Server HELP Command buffer overflow |
| CVE-2025-31363 | 2025-04-16 | Data exfiltration via AI plugin Jira tool |
| CVE-2025-27936 | 2025-04-16 | Webhook Secret Exposure via Timing attack in MSteams plugin |
| CVE-2025-3679 | 2025-04-16 | PCMan FTP Server HOST Command buffer overflow |
| CVE-2025-3680 | 2025-04-16 | PCMan FTP Server LANG Command buffer overflow |
| CVE-2025-3681 | 2025-04-16 | PCMan FTP Server MODE Command buffer overflow |
| CVE-2025-22019 | 2025-04-16 | bcachefs: bch2_ioctl_subvolume_destroy() fixes |
| CVE-2025-22020 | 2025-04-16 | memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove |
| CVE-2025-22021 | 2025-04-16 | netfilter: socket: Lookup orig tuple for IPv6 SNAT |
| CVE-2025-22022 | 2025-04-16 | usb: xhci: Apply the link chain quirk on NEC isoc endpoints |
| CVE-2025-22023 | 2025-04-16 | usb: xhci: Don't skip on Stopped - Length Invalid |
| CVE-2025-30960 | 2025-04-16 | WordPress FS Poster plugin <= 6.5.8 - Subscriber+ Site Wide Broken Access Control vulnerability |
| CVE-2024-58092 | 2025-04-16 | nfsd: fix legacy client tracking initialization |
| CVE-2025-3682 | 2025-04-16 | PCMan FTP Server PASV Command buffer overflow |
| CVE-2025-3683 | 2025-04-16 | PCMan FTP Server SIZE Command buffer overflow |
| CVE-2025-3684 | 2025-04-16 | Xianqi Kindergarten Management System Child Management stu_list.php sql injection |
| CVE-2025-3685 | 2025-04-16 | code-projects Patient Record Management System edit_fpatient.php sql injection |
| CVE-2025-3686 | 2025-04-16 | misstt123 oasys show image path traversal |
| CVE-2025-3687 | 2025-04-16 | misstt123 oasys Sticky Notes cross-site request forgery |
| CVE-2025-3688 | 2025-04-16 | mirweiye Seven Bears Library CMS Background Management Page cross site scripting |
| CVE-2025-3689 | 2025-04-16 | PHPGurukul Men Salon Management System edit-customer-detailed.php sql injection |
| CVE-2025-1980 | 2025-04-16 | Remote Code Execution via Unrestricted File Upload in Ready_ |
| CVE-2025-1981 | 2025-04-16 | SQL Injection in Ready_ |
| CVE-2025-1982 | 2025-04-16 | Local File Inclusion in Ready_ |