CVE List - 2025 / April
Showing 3601 - 3700 of 4038 CVEs for April 2025 (Page 37 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-32986 | 2025-04-25 | NETSCOUT nGeniusONE before 6.4.0 b2350 has a Sensitive File Accessible... |
| CVE-2025-46544 | 2025-04-25 | In Sherpa Orchestrator 141851, a low-privileged user can elevate their... |
| CVE-2025-46545 | 2025-04-25 | In Sherpa Orchestrator 141851, the functionality for adding or updating... |
| CVE-2025-46546 | 2025-04-25 | In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can... |
| CVE-2025-46547 | 2025-04-25 | In Sherpa Orchestrator 141851, the web application lacks protection against... |
| CVE-2025-46595 | 2025-04-25 | An XSS issue was discovered in the Flag module before... |
| CVE-2025-46599 | 2025-04-25 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration... |
| CVE-2025-46613 | 2025-04-25 | OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a... |
| CVE-2025-46616 | 2025-04-25 | Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary... |
| CVE-2025-46617 | 2025-04-25 | Quantum StorNext Web GUI API before 7.2.4 grants access to... |
| CVE-2025-43864 | 2025-04-25 | React Router allows a DoS via cache poisoning by forcing SPA mode |
| CVE-2025-43865 | 2025-04-25 | React Router allows pre-render data spoofing on React-Router framework mode |
| CVE-2025-3775 | 2025-04-25 | ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter |
| CVE-2025-3752 | 2025-04-25 | Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter |
| CVE-2025-3511 | 2025-04-25 | Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi... |
| CVE-2025-2580 | 2025-04-25 | Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-3861 | 2025-04-25 | Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions |
| CVE-2025-3923 | 2025-04-25 | Prevent Direct Access – Protect WordPress Files <= 2.8.8 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-0671 | 2025-04-25 | Email Subscribers < 5.7.50 - Admin+ Stored XSS in Template |
| CVE-2025-3866 | 2025-04-25 | Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-3867 | 2025-04-25 | Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-3868 | 2025-04-25 | Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting |
| CVE-2025-2238 | 2025-04-25 | Vikinger <= 1.9.30 - Authenticated (Subscriber+) Privilege Escalation via 'vikinger_user_meta_update_ajax' |
| CVE-2025-3743 | 2025-04-25 | Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation |
| CVE-2025-46482 | 2025-04-25 | WordPress WP Quiz plugin <= 2.0.10 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-46535 | 2025-04-25 | WordPress Custom Login and Registration plugin <= 1.0.0 - Broken Access Control vulnerability |
| CVE-2025-3870 | 2025-04-25 | 1 Decembrie 1918 <= 1.dec.2012 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-1279 | 2025-04-25 | BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update |
| CVE-2025-1565 | 2025-04-25 | Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read |
| CVE-2025-2986 | 2025-04-25 | IBM Maximo Asset Management cross-site scripting |
| CVE-2025-3912 | 2025-04-25 | WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure |
| CVE-2024-11917 | 2025-04-25 | JobSearch WP Job Board <= 2.8.8 - Authentication Bypass via Social Logins |
| CVE-2025-2470 | 2025-04-25 | Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input' |
| CVE-2024-6198 | 2025-04-25 | SNORE Interface Unauthenticated Remote Code Execution |
| CVE-2024-6199 | 2025-04-25 | Unauthenticated Remote Code Execution |
| CVE-2025-3634 | 2025-04-25 | Moodle: moodle allows course self-enrolment before completing mfa |
| CVE-2025-43016 | 2025-04-25 | In JetBrains Rider before 2025.1.2 custom archive unpacker allowed arbitrary... |
| CVE-2025-46432 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed... |
| CVE-2025-46433 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset... |
| CVE-2025-46618 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 stored XSS was possible on... |
| CVE-2025-3625 | 2025-04-25 | Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action |
| CVE-2025-3627 | 2025-04-25 | Moodle: partial data exposure in moodle before completing multi-factor authentication |
| CVE-2025-3628 | 2025-04-25 | Moodle: moodle assignment submission search leaks anonymous student identities |
| CVE-2025-3635 | 2025-04-25 | Moodle: csrf risk in moodle user tours manager allows tour duplication |
| CVE-2025-3636 | 2025-04-25 | Moodle: idor in moodle rss block allows unauthorized access to rss feeds |
| CVE-2025-3637 | 2025-04-25 | Moodle: csrf token exposure via url in moodle mod_data module |
| CVE-2025-3638 | 2025-04-25 | Moodle: csrf risk in brickfield tool's analysis request action |
| CVE-2025-3640 | 2025-04-25 | Moodle: idor in web service allows users enrolled in a course to access some details of other users |
| CVE-2025-3641 | 2025-04-25 | Moodle: authenticated remote code execution risk in the moodle lms dropbox repository |
| CVE-2025-3642 | 2025-04-25 | Moodle: authenticated remote code execution risk in the moodle lms equella repository |
| CVE-2025-3643 | 2025-04-25 | Moodle: reflected xss risk in policy tool |
| CVE-2025-3644 | 2025-04-25 | Moodle: ajax section delete does not respect course_can_delete_section() |
| CVE-2025-3645 | 2025-04-25 | Moodle: idor in messaging web service allows access to some user details |
| CVE-2025-3647 | 2025-04-25 | Moodle: idor when accessing the cohorts report |
| CVE-2025-32044 | 2025-04-25 | Moodle: unauthenticated rest api user data exposure |
| CVE-2025-32045 | 2025-04-25 | Moodle: hidden grades shown to users without permission on some grade reports |
| CVE-2025-32432 | 2025-04-25 | Craft CMS Allows Remote Code Execution |
| CVE-2025-43862 | 2025-04-25 | Dify Allows Unauthorized Access and Modification of APP Orchestration |
| CVE-2024-56156 | 2025-04-25 | Halo Vulnerable to Stored XSS and RCE via File Upload Bypass |
| CVE-2025-2068 | 2025-04-25 | An open redirect vulnerability was reported in the FileZ client... |
| CVE-2025-2069 | 2025-04-25 | A cross-site scripting vulnerability was reported in the FileZ client... |
| CVE-2025-2070 | 2025-04-25 | An improper XML parsing vulnerability was reported in the FileZ... |
| CVE-2025-3928 | 2025-04-25 | Commvault Web Server unspecified vulnerability |
| CVE-2024-30152 | 2025-04-25 | HCL SX is affected by usage of a weak cryptographic algorithm |
| CVE-2025-3935 | 2025-04-25 | ScreenConnect Exposure to ASP.NET ViewState Code Injection |
| CVE-2025-46333 | 2025-04-25 | z2d OOB composition could lead to invalid memory access and corruption |
| CVE-2024-53636 | 2025-04-26 | An arbitrary file upload vulnerability via writefile.php of Serosoft Academia... |
| CVE-2025-46646 | 2025-04-26 | In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong... |
| CVE-2025-46652 | 2025-04-26 | In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability.... |
| CVE-2025-46653 | 2025-04-26 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on... |
| CVE-2025-46654 | 2025-04-26 | CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS... |
| CVE-2025-46655 | 2025-04-26 | CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS... |
| CVE-2025-46656 | 2025-04-26 | python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such... |
| CVE-2025-2801 | 2025-04-26 | Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-13808 | 2025-04-26 | Xpro Elementor Addons - Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution |
| CVE-2025-2105 | 2025-04-26 | Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR |
| CVE-2025-1458 | 2025-04-26 | Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-3491 | 2025-04-26 | Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution |
| CVE-2025-3914 | 2025-04-26 | Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-3906 | 2025-04-26 | Integração entre Eduzz e Woocommerce 1.5.0 - 1.7.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation |
| CVE-2025-3915 | 2025-04-26 | Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion |
| CVE-2025-2907 | 2025-04-26 | Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update |
| CVE-2025-2811 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus API redos |
| CVE-2025-2850 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus Download Interface improper authorization |
| CVE-2025-2851 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus RPC plugins.so buffer overflow |
| CVE-2024-13812 | 2025-04-26 | Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2025-2101 | 2025-04-26 | Edumall <= 4.2.4 - Unauthenticated Local File Inclusion |
| CVE-2025-3954 | 2025-04-26 | ChurchCRM Referer server-side request forgery |
| CVE-2025-46657 | 2025-04-27 | Karaz Karazal through 2025-04-14 allows reflected XSS via the lang... |
| CVE-2025-46672 | 2025-04-27 | NASA CryptoLib before 1.3.2 does not check the OTAR crypto... |
| CVE-2025-46673 | 2025-04-27 | NASA CryptoLib before 1.3.2 does not check whether the SA... |
| CVE-2025-46674 | 2025-04-27 | NASA CryptoLib before 1.3.2 uses Extended Procedures that are a... |
| CVE-2025-46675 | 2025-04-27 | In NASA CryptoLib before 1.3.2, the key state is not... |
| CVE-2025-46687 | 2025-04-27 | quickjs-ng through 0.9.0 has a missing length check in JS_ReadString... |
| CVE-2025-46688 | 2025-04-27 | quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt... |
| CVE-2025-46689 | 2025-04-27 | Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a... |
| CVE-2025-46690 | 2025-04-27 | Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors... |
| CVE-2025-3955 | 2025-04-27 | codeprojects Patient Record Management System edit_rpatient.php.php sql injection |
| CVE-2025-46574 | 2025-04-27 | ZTE GoldenDB Database product has an input validation vulnerability |
| CVE-2025-46575 | 2025-04-27 | ZTE GoldenDB Database product has an information disclosure vulnerability |