Export limit exceeded: 363273 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12624 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65128 | 1 Shenzhen Zhibotong Electronics | 1 Zbt We2001 | 2026-04-15 | 8.1 High |
| A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session. | ||||
| CVE-2024-45489 | 1 The Browser Company | 1 Arc | 2026-04-15 | 9.8 Critical |
| Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users. | ||||
| CVE-2024-50644 | 2026-04-15 | 9.8 Critical | ||
| zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | ||||
| CVE-2024-50645 | 1 Mallchat Project | 1 Mallchat | 2026-04-15 | 9.8 Critical |
| MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | ||||
| CVE-2024-53494 | 2026-04-15 | 7.5 High | ||
| Incorrect access control in the preHandle function of SpringBootBlog v1.0.0 allows attackers to access sensitive components without authentication. | ||||
| CVE-2025-7703 | 2026-04-15 | 3.1 Low | ||
| Authentication vulnerability in the mobile application(tech.palm.id)may lead to the risk of information leakage. | ||||
| CVE-2024-31964 | 1 Mitel | 3 6800 Series Sip Phones, 6900w Series Sip Phone, 6970 Conference Unit | 2026-04-15 | 7.5 High |
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication control. A successful exploit could allow an attacker to modify system configuration settings and potentially cause a denial of service. | ||||
| CVE-2024-9692 | 1 Vimesa | 1 Vhf\/fm Transmitter Blue Plus | 2026-04-15 | N/A |
| VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations. | ||||
| CVE-2024-50341 | 1 Symfony | 1 Symfony | 2026-04-15 | 3.1 Low |
| symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-50640 | 2026-04-15 | 9.8 Critical | ||
| jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function | ||||
| CVE-2025-71057 | 1 D-link | 1 Wireless N 300 Adsl2+ Modem Router | 2026-04-15 | 8.2 High |
| Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | ||||
| CVE-2025-13427 | 1 Google | 1 Cloud Dialogflow Cx | 2026-04-15 | N/A |
| An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability to trigger their intents, by manipulating initialization parameters or crafting specific API requests. All versions after August 20th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | ||||
| CVE-2024-50945 | 2026-04-15 | 7.5 High | ||
| An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product. | ||||
| CVE-2025-25617 | 2026-04-15 | 4.3 Medium | ||
| Incorrect Access Control in Unifiedtransform 2.X leads to Privilege Escalation allowing teachers to create syllabus. | ||||
| CVE-2025-14088 | 1 Ketr | 1 Jepaas | 2026-04-15 | 6.3 Medium |
| A vulnerability was determined in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is an unknown functionality of the file /je/load. This manipulation of the argument Authorization causes improper authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-11320 | 1 Zhuimengshaonian | 1 Wisdom-education | 2026-04-15 | 6.3 Medium |
| A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Impacted is the function uploadFile of the file src/main/java/com/education/core/controller/UploadController.java. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-36444 | 1 Swissphone | 1 Dical-red 4009 | 2026-04-15 | 8.1 High |
| cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs. | ||||
| CVE-2023-52164 | 2026-04-15 | 5.1 Medium | ||
| access_device.cgi on Digiever DS-2105 Pro 3.1.0.71-11 devices allows arbitrary file read. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-3580 | 1 Grafana | 1 Grafana | 2026-04-15 | 5.5 Medium |
| An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | ||||
| CVE-2023-3597 | 1 Redhat | 2 Build Keycloak, Red Hat Single Sign On | 2026-04-15 | 5 Medium |
| A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication. | ||||