Search Results (140 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-38520 2 Pinpoint.world, Wordpress 2 Pinpoint Booking System, Wordpress 2026-04-15 6.5 Medium
External Control of Assumed-Immutable Web Parameter vulnerability in PINPOINT.WORLD Pinpoint Booking System allows Functionality Misuse.This issue affects Pinpoint Booking System: from n/a through 2.9.9.3.4.
CVE-2025-32816 2026-04-15 3.1 Low
CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity.
CVE-2025-43002 2026-04-15 4.3 Medium
SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.
CVE-2024-12123 2026-04-15 N/A
A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.  When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.  The ticket requester can be changed from the original requester to another user in the same application, which the application then accepts.
CVE-2024-3649 1 Wordpress 1 Contact Form Drag And Drop Form Builder 2026-04-15 5.3 Medium
The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.
CVE-2025-66385 1 Cerebrate-project 1 Cerebrate 2026-04-15 N/A
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.
CVE-2025-26312 2026-04-15 N/A
SendQuick Entera devices before 11HF5 are vulnerable to CAPTCHA bypass by removing the Captcha parameter.
CVE-2025-14750 1 Weintek 3 Cmt-ctrl01, Cmt-svrx-820, Cmt3072xh 2026-04-15 N/A
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.
CVE-2025-30236 1 Securenvoy 1 Securaccess 2026-04-15 8.6 High
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 allows authentication through only a six-digit TOTP code (skipping a password check) if an HTTP POST request contains a SESSION parameter.
CVE-2025-43930 2026-04-15 9.8 Critical
Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
CVE-2025-43933 2026-04-15 9.8 Critical
fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
CVE-2025-47817 2026-04-15 8.8 High
In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter.
CVE-2025-47245 2026-04-15 8.1 High
In BlueWave Checkmate through 2.0.2 before d4a6072, an invite request can be modified to specify a privileged role.
CVE-2025-31327 2026-04-15 4.3 Medium
SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not impacted.
CVE-2026-4292 1 Djangoproject 1 Django 2026-04-14 2.7 Low
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
CVE-2026-5908 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
CVE-2026-5909 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
CVE-2026-5859 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-5870 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-5910 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)