Export limit exceeded: 361542 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 361542 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12497 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48860 | 1 Bosch | 1 Ctrlx Os | 2026-04-15 | 8 High |
| A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to access sensitive data. | ||||
| CVE-2022-43110 | 1 Voltronicpower | 1 Viewpower | 2026-04-15 | 9.8 Critical |
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | ||||
| CVE-2025-60375 | 1 Perfexcrm | 1 Perfex Crm | 2026-04-15 | 7.3 High |
| The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts, including administrative accounts, without providing valid credentials. | ||||
| CVE-2024-57157 | 2026-04-15 | 9.8 Critical | ||
| Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token. | ||||
| CVE-2025-43701 | 2026-04-15 | 7.5 High | ||
| Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254. | ||||
| CVE-2025-4474 | 2026-04-15 | 8.8 High | ||
| The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator. | ||||
| CVE-2025-64483 | 1 Wazuh | 2 Wazuh, Wazuh-dashboard | 2026-04-15 | N/A |
| Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | ||||
| CVE-2024-33227 | 1 Nicomsoft | 1 Wini2c | 2026-04-15 | 8.8 High |
| An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | ||||
| CVE-2024-33396 | 1 Karmada-io | 1 Karmada | 2026-04-15 | 8.4 High |
| An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | ||||
| CVE-2025-60982 | 1 Educare | 1 Educare Erp | 2026-04-15 | 5.4 Medium |
| IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object identifiers in API requests. Attackers can exploit this flaw to view or modify sensitive records without proper authorization. | ||||
| CVE-2025-10847 | 1 Broadcom | 1 Unified Infrastructure Management | 2026-04-15 | N/A |
| DX Unified Infrastructure Management (Nimsoft/UIM) and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system. | ||||
| CVE-2025-65127 | 1 Shenzhen Zhibotong Electronics | 1 Zbt We2001 | 2026-04-15 | 6.5 Medium |
| A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get_*" operations, attackers can obtain device configuration data, including plaintext credentials, without authentication or an existing session. | ||||
| CVE-2024-0130 | 2026-04-15 | 8.8 High | ||
| NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, and information disclosure. | ||||
| CVE-2024-32881 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | 9.8 Critical |
| Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. | ||||
| CVE-2025-1475 | 2026-04-15 | 9.8 Critical | ||
| The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled. | ||||
| CVE-2025-2397 | 2026-04-15 | 2.4 Low | ||
| A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been declared as problematic. This vulnerability affects unknown code of the component Telnet Service. The manipulation leads to improper authorization. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-64400 | 1 Palantir | 1 Control Panel | 2026-04-15 | 4.1 Medium |
| Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has `edit` on the enrollment-level user directory, but is missing a separate check that the enrollment editor has access (or belongs to) the organization that they are adding a user to. | ||||
| CVE-2024-1609 | 2026-04-15 | N/A | ||
| In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation. | ||||
| CVE-2025-12998 | 1 Typo3 | 1 Typo3 | 2026-04-15 | N/A |
| Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | ||||
| CVE-2024-47910 | 1 Sonarsource | 1 Sonarqube | 2026-04-15 | 7.2 High |
| An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. | ||||