Total
7793 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11281 | 2026-04-15 | 9.8 Critical | ||
| The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account. | ||||
| CVE-2025-27428 | 2026-04-15 | 7.7 High | ||
| Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability. | ||||
| CVE-2025-4477 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2026-04-15 | 7.2 High |
| The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator level through a specific API. | ||||
| CVE-2024-45286 | 2026-04-15 | 6.5 Medium | ||
| Due to lack of proper authorization checks when calling user, a function module in obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could lead to disclosure of highly sensitive data. There is no impact on integrity or availability. | ||||
| CVE-2025-29756 | 2026-04-15 | N/A | ||
| SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices. | ||||
| CVE-2025-42899 | 1 Sap | 1 S4core | 2026-04-15 | 4.3 Medium |
| SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application. | ||||
| CVE-2025-42913 | 1 Sap | 1 Fiori | 2026-04-15 | 3.1 Low |
| Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted. | ||||
| CVE-2025-42987 | 2026-04-15 | 4.3 Medium | ||
| SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application. | ||||
| CVE-2025-42989 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-04-15 | 9.6 Critical |
| RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. | ||||
| CVE-2025-43008 | 2026-04-15 | 5.8 Medium | ||
| Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability. | ||||
| CVE-2024-1995 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private. | ||||
| CVE-2024-10580 | 1 Wpmudev | 1 Hustle | 2026-04-15 | 5.3 Medium |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms. | ||||
| CVE-2025-30107 | 2026-04-15 | 7.5 High | ||
| On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off battery protection, potentially causing physical damage to the vehicle. | ||||
| CVE-2024-0122 | 2026-04-15 | 7.6 High | ||
| NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker may cause an unauthorized action. A successful exploit of this vulnerability may lead to partial denial of service and confidential information disclosure. | ||||
| CVE-2024-12559 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to modify or remove the plugin's API key. | ||||
| CVE-2024-13747 | 2026-04-15 | 4.3 Medium | ||
| The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query. | ||||
| CVE-2025-6814 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.5 High |
| The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request. | ||||
| CVE-2024-4997 | 3 Victor Freitas, Victorfreitas, Wordpress | 3 Wpupper Share Buttons, Wpupper Share Buttons, Wordpress | 2026-04-15 | 5.3 Medium |
| The WPUpper Share Buttons plugin for WordPress is vulnerable to unauthorized access of data when preparing sharing links for posts and pages in all versions up to, and including, 3.43. This makes it possible for unauthenticated attackers to obtain the contents of password protected posts and pages. | ||||
| CVE-2024-33000 | 2026-04-15 | 3.5 Low | ||
| SAP Bank Account Management does not perform necessary authorization check for an authorized user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality to the system. | ||||
| CVE-2025-4597 | 2026-04-15 | 6.5 Medium | ||
| The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | ||||