Total
346993 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41228 | 1 Froxlor | 1 Froxlor | 2026-04-27 | 10 Critical |
| Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue. | ||||
| CVE-2026-39865 | 1 Axios | 1 Axios | 2026-04-27 | 5.9 Medium |
| Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2. | ||||
| CVE-2026-33600 | 1 Powerdns | 1 Recursor | 2026-04-27 | 4.4 Medium |
| An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. | ||||
| CVE-2026-41233 | 1 Froxlor | 1 Froxlor | 2026-04-27 | 5.4 Medium |
| Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue. | ||||
| CVE-2026-33601 | 1 Powerdns | 1 Recursor | 2026-04-27 | 4.4 Medium |
| If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. | ||||
| CVE-2026-33254 | 1 Powerdns | 1 Dnsdist | 2026-04-27 | 5.3 Medium |
| An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default. | ||||
| CVE-2026-32298 | 1 Angeet | 2 Es3 Kvm, Es3 Kvm Firmware | 2026-04-27 | 9.1 Critical |
| The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands. | ||||
| CVE-2026-32297 | 1 Angeet | 2 Es3 Kvm, Es3 Kvm Firmware | 2026-04-27 | 7.5 High |
| The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system. | ||||
| CVE-2025-66136 | 2 Merkulove, Wordpress | 2 Carter For Elementor, Wordpress | 2026-04-27 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through <= 1.0.2. | ||||
| CVE-2026-38834 | 1 Tenda | 2 W30e, W30e Firmware | 2026-04-27 | 7.3 High |
| Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2026-30266 | 1 Deepcool | 1 Deepcreative | 2026-04-27 | 7.8 High |
| Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file | ||||
| CVE-2026-7044 | 1 Greencms | 1 Greencms | 2026-04-27 | 6.3 Medium |
| A vulnerability was found in GreenCMS up to 2.3. Affected is the function themeadd of the file /index.php?m=admin&c=custom&a=themeadd. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-62938 | 2 Reoon Technology, Wordpress | 2 Reoon Email Verifier, Wordpress | 2026-04-27 | 4.3 Medium |
| Missing Authorization vulnerability in Reoon Technology Reoon Email Verifier reoon-email-verifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reoon Email Verifier: from n/a through <= 2.0.1. | ||||
| CVE-2025-62935 | 3 Ilmosys, Woocommerce, Wordpress | 3 Open Close Woocommerce Store, Woocommerce, Wordpress | 2026-04-27 | 4.3 Medium |
| Missing Authorization vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0. | ||||
| CVE-2025-62934 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Mejar WP Business Hours wp-business-hours allows Stored XSS.This issue affects WP Business Hours: from n/a through <= 1.4. | ||||
| CVE-2025-62933 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Prakash Awesome Testimonials awesome-testimonials allows Stored XSS.This issue affects Awesome Testimonials: from n/a through <= 2.2.1. | ||||
| CVE-2025-62932 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 4.3 Medium |
| Missing Authorization vulnerability in wprio Table Block by RioVizual riovizual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by RioVizual: from n/a through <= 3.0.0. | ||||
| CVE-2025-62931 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 4.3 Medium |
| Missing Authorization vulnerability in microsoftstart MSN Partner Hub microsoft-start allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MSN Partner Hub: from n/a through <= 2.9. | ||||
| CVE-2025-62929 | 2 Pluginops, Wordpress | 2 Testimonial Slider, Wordpress | 2026-04-27 | 6.5 Medium |
| Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15. | ||||
| CVE-2025-62928 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 4.3 Medium |
| Missing Authorization vulnerability in Joby Joseph SEO Meta Description Updater seo-meta-description-updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Meta Description Updater: from n/a through <= 1.2.0. | ||||