Export limit exceeded: 352811 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8343 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43717 | 2026-04-15 | 5.4 Medium | ||
| In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS. | ||||
| CVE-2024-6960 | 1 Mvnrepository | 1 H2o-core | 2026-04-15 | 7.5 High |
| The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. | ||||
| CVE-2025-10363 | 1 Microsoft | 1 Windows | 2026-04-15 | N/A |
| Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This issue affects at least Topal Finanzbuchhaltung: 10.1.5.20 and is fixed in version 11.2.12.00 | ||||
| CVE-2025-46742 | 2026-04-15 | 4.3 Medium | ||
| Users who were required to change their password could still access system information before changing their password | ||||
| CVE-2025-3165 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability classified as critical has been found in thu-pacman chitu 0.1.0. This affects the function torch.load of the file chitu/chitu/backend.py. The manipulation of the argument ckpt_path/quant_ckpt_dir leads to deserialization. An attack has to be approached locally. | ||||
| CVE-2024-11501 | 1 Webdzier | 1 Gallery | 2026-04-15 | 8.8 High |
| The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2021-4463 | 1 Shenzhen Longjing Technology | 1 Bems Api | 2026-04-15 | N/A |
| Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory. | ||||
| CVE-2025-48018 | 2026-04-15 | 7.5 High | ||
| An authenticated user can modify application state data. | ||||
| CVE-2025-32382 | 1 Metabase | 1 Metabase | 2026-04-15 | N/A |
| Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase found a connection that worked, it would log (log/infof "Successfully connected, migrating to: %s" (pr-str test-details)) which would then print the username and password to the logger. This is fixed in 52.17.1, 53.9.5 and 54.1.5 in both the OSS and enterprise editions. Versions 51 and lower are not impacted. | ||||
| CVE-2025-67860 | 1 Suse | 1 Harvester | 2026-04-15 | 3.8 Low |
| A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. | ||||
| CVE-2024-27322 | 1 R Project | 1 R | 2026-04-15 | 8.8 High |
| Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2025-50709 | 1 Perplexity-ai | 1 Gpt-4 | 2026-04-15 | 4.3 Medium |
| An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter | ||||
| CVE-2024-3020 | 1 Shapedplugin | 3 Logo Carousel, Post Grid\, Post Carousel\, \& List Category Posts, Product Slider For Woocommerce | 2026-04-15 | 7.2 High |
| The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. This allows authenticated attackers, with administrator-level access to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2025-31129 | 2026-04-15 | 8.8 High | ||
| Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x). | ||||
| CVE-2025-3456 | 1 Arista | 1 Eos | 2026-04-15 | 3.8 Low |
| On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships. | ||||
| CVE-2025-7426 | 1 Minova | 1 Tta | 2026-04-15 | N/A |
| Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse. Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs | ||||
| CVE-2025-13467 | 1 Redhat | 1 Build Keycloak | 2026-04-15 | 5.5 Medium |
| A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | ||||
| CVE-2024-6878 | 1 Eliz Software | 1 Panel | 2026-04-15 | N/A |
| Files or Directories Accessible to External Parties vulnerability in Eliz Software Panel allows Collect Data from Common Resource Locations.This issue affects Panel: before v2.3.24. | ||||
| CVE-2026-4788 | 1 Ibm | 3 Tivoli Netcool/impact, Tivoli Netcool\/impact, Tivoli Netcool Impact | 2026-04-14 | 8.4 High |
| IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user. | ||||
| CVE-2026-3357 | 2 Ibm, Langflow | 2 Langflow Desktop, Langflow | 2026-04-14 | 8.8 High |
| IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. | ||||