Export limit exceeded: 359386 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (5517 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57567 | 1 Pluxml | 1 Pluxml | 2026-04-15 | 9.1 Critical |
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | ||||
| CVE-2025-6531 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | ||||
| CVE-2024-57154 | 2026-04-15 | 9.8 Critical | ||
| Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index. | ||||
| CVE-2025-57247 | 2026-04-15 | 9.1 Critical | ||
| The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base ERC20 contract are declared as public without proper access control modifiers, allowing any user to bypass transfer restrictions and manipulate special address settings. This enables unauthorized users to circumvent cold time transfer restrictions and potentially disrupt dividend distribution mechanisms, leading to privilege escalation and violation of the contract's intended tokenomics. | ||||
| CVE-2025-4962 | 1 Lunary-ai | 1 Lunary | 2026-04-15 | N/A |
| An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23. | ||||
| CVE-2024-57336 | 2026-04-15 | 6.5 Medium | ||
| Incorrect access control in M2Soft CROWNIX Report & ERS affected v7.x to v7.4.3.599 and v8.x to v8.0.3.79 allows unauthorized attackers to obtain Administrator account access. | ||||
| CVE-2025-4768 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. This affects the function uploadPicture of the file PictureServiceImpl.java. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names. | ||||
| CVE-2024-7424 | 2026-04-15 | 5.4 Medium | ||
| The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects. | ||||
| CVE-2023-43626 | 1 Intel | 45 Atom C2308 Firmware, Atom C2316 Firmware, Atom C2338 Firmware and 42 more | 2026-04-15 | 7.5 High |
| Improper access control in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-39247 | 1 Hikvision | 1 Hikcentral Professional | 2026-04-15 | 8.6 High |
| There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | ||||
| CVE-2025-28233 | 2026-04-15 | 9.1 Critical | ||
| Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to execute a session hijacking attack. | ||||
| CVE-2024-53304 | 2026-04-15 | 6.5 Medium | ||
| An issue in LRQA Nettitude PoshC2 after commit 09ee2cf allows unauthenticated attackers to connect to the C2 server and execute arbitrary commands via posing as an infected machine. | ||||
| CVE-2024-40531 | 1 Uab Lexita | 2 Panteracrm Cms, Patera Crm Cms | 2026-04-15 | 8.8 High |
| A mass assignment vulnerability exists in Pantera CRM versions 401.152 and 402.072. This flaw allows authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions. | ||||
| CVE-2025-3113 | 2026-04-15 | N/A | ||
| A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to explore the internal database schema and export its data, including the properties of Connecters and Rule Sets. | ||||
| CVE-2025-4006 | 2026-04-15 | 4.7 Medium | ||
| A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-28231 | 2026-04-15 | 9.1 Critical | ||
| Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. | ||||
| CVE-2025-43712 | 1 Jhipster | 1 Generator-jhipster | 2026-04-15 | 2.9 Low |
| JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application). | ||||
| CVE-2025-20099 | 1 Intel | 1 Rapid Storage Technology | 2026-04-15 | 6.7 Medium |
| Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-20100 | 2026-04-15 | 7.5 High | ||
| Improper access control in the memory controller configurations for some Intel(R) Xeon(R) 6 processor with E-cores may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-10124 | 2026-04-15 | 9.8 Critical | ||
| The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1. | ||||