Export limit exceeded: 11889 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11889 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14693 | 1 Ugreen | 1 Dh2100+ | 2026-04-15 | 6.2 Medium |
| A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. It is suggested to upgrade the affected component. | ||||
| CVE-2025-14696 | 1 Shenzhen Sixun | 1 Business Management System | 2026-04-15 | 5.3 Medium |
| A vulnerability was identified in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this vulnerability is an unknown functionality of the file /api/GylOperator/UpdatePasswordBatch. The manipulation leads to weak password recovery. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3574 | 2026-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | ||||
| CVE-2024-25883 | 2026-04-15 | 5.3 Medium | ||
| The mstatus register in RSD commit 3d13a updates incorrectly, leading to processing errors. | ||||
| CVE-2025-20044 | 1 Intel | 1 Tdx Module Software | 2026-04-15 | 4.1 Medium |
| Improper locking for some Intel(R) TDX Module firmware before version 1.5.13 may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-6249 | 2026-04-15 | 6.7 Medium | ||
| An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data. | ||||
| CVE-2023-32189 | 2026-04-15 | 5.9 Medium | ||
| Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys | ||||
| CVE-2025-14302 | 1 Gigabyte | 6 Amd 600, Amd 800, Amd Trx50 and 3 more | 2026-04-15 | 6.8 Medium |
| Certain motherboard models developed by GIGABYTE has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | ||||
| CVE-2024-12827 | 2026-04-15 | 9.8 Critical | ||
| The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-3930 | 1 Strapi | 1 Strapi | 2026-04-15 | N/A |
| Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1. | ||||
| CVE-2025-23183 | 2026-04-15 | 6.1 Medium | ||
| CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | ||||
| CVE-2024-12824 | 2026-04-15 | 9.8 Critical | ||
| The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-34458 | 1 Wb2osz | 1 Dire Wolf | 2026-04-15 | 7.5 High |
| wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 3658a87, contain a reachable assertion vulnerability in the APRS MIC-E decoder function aprs_mic_e() located in src/decode_aprs.c. When processing a specially crafted AX.25 frame containing a MIC-E message with an empty or truncated comment field, the application triggers an unhandled assertion checking for a non-empty comment. This assertion failure causes immediate process termination, allowing a remote, unauthenticated attacker to cause a denial of service by sending malformed APRS traffic. | ||||
| CVE-2025-12902 | 1 Solidigm | 5 D5 P5316 Firmware, D5 P5336 Firmware, D5 P5430 Firmware and 2 more | 2026-04-15 | 4.4 Medium |
| Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked Storage Device or create a Denial of Service. | ||||
| CVE-2025-57704 | 2026-04-15 | 5.5 Medium | ||
| Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability. | ||||
| CVE-2024-56959 | 2026-04-15 | 6.5 Medium | ||
| An issue in Mashang Consumer Finance Co., Ltd Anyihua iOS 3.6.2 allows attackers to access sensitive user information via supplying a crafted link. | ||||
| CVE-2024-54661 | 2 Dest-unreach, Redhat | 4 Socat, Enterprise Linux, Rhel E4s and 1 more | 2026-04-15 | 9.8 Critical |
| readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file. | ||||
| CVE-2024-24312 | 2026-04-15 | 7.5 High | ||
| SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component. | ||||
| CVE-2024-12309 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts. | ||||
| CVE-2024-12306 | 1 Unifiedtransform | 1 Unifiedtransform | 2026-04-15 | 4.3 Medium |
| Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available. | ||||