Export limit exceeded: 363814 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12677 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0749 | 2026-04-15 | 8.1 High | ||
| The Homey theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.3. This is due to the 'verification_id' value being set to empty, and the not empty check is missing in the dashboard user profile page. This makes it possible for unauthenticated attackers to log in to the first verified user. | ||||
| CVE-2025-0783 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2025-10247 | 1 Jepaas | 1 Jepaas | 2026-04-15 | 6.3 Medium |
| A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10653 | 1 Raise3d | 1 Pro2 Series | 2026-04-15 | 8.6 High |
| An unauthenticated debug port may allow access to the device file system. | ||||
| CVE-2025-11174 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint. | ||||
| CVE-2024-36444 | 1 Swissphone | 1 Dical-red 4009 | 2026-04-15 | 8.1 High |
| cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs. | ||||
| CVE-2023-52164 | 2026-04-15 | 5.1 Medium | ||
| access_device.cgi on Digiever DS-2105 Pro 3.1.0.71-11 devices allows arbitrary file read. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-3597 | 1 Redhat | 2 Build Keycloak, Red Hat Single Sign On | 2026-04-15 | 5 Medium |
| A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication. | ||||
| CVE-2024-36532 | 1 Openkruise | 1 Kruise | 2026-04-15 | 10 Critical |
| Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
| CVE-2024-9106 | 1 Xunhuweb | 1 Wechat Social Login | 2026-04-15 | 9.8 Critical |
| The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value. | ||||
| CVE-2025-43027 | 1 Genetec | 1 Security Center | 2026-04-15 | 9.8 Critical |
| A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no evidence that this vulnerability has been exploited in the wild. | ||||
| CVE-2024-57491 | 2026-04-15 | 8.8 High | ||
| Authentication Bypass vulnerability in jobx up to v1.0.1-RELEASE allows an attacker can exploit this vulnerability to access sensitive API without any token via the preHandle function. | ||||
| CVE-2024-45811 | 2 Redhat, Vitejs | 2 Openshift Distributed Tracing, Vite | 2026-04-15 | 4.8 Medium |
| Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-44178 | 1 Dasan | 1 H660wm | 2026-04-15 | 6.5 Medium |
| DASAN GPON ONU H660WM H660WMR210825 is susceptible to improper access control under its default settings. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information and modify its configuration via the UPnP protocol WAN sides without any authentication. | ||||
| CVE-2025-61156 | 1 Pctools | 1 Threatfire | 2026-04-15 | 7.8 High |
| Incorrect access control in the kernel driver of ThreatFire System Monitor v4.7.0.53 allows attackers to escalate privileges and execute arbitrary commands via an insecure IOCTL. | ||||
| CVE-2025-60291 | 1 Etimetracklite | 1 Etimetracklite | 2026-04-15 | 9.1 Critical |
| An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations. | ||||
| CVE-2025-60982 | 1 Educare | 1 Educare Erp | 2026-04-15 | 5.4 Medium |
| IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object identifiers in API requests. Attackers can exploit this flaw to view or modify sensitive records without proper authorization. | ||||
| CVE-2025-61118 | 2 Google, Skytop | 2 Android, Mcarfix App | 2026-04-15 | 7.5 High |
| mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform. | ||||
| CVE-2025-24313 | 2 Intel, Kubernetes | 2 Device Plugins For Kubernetes, Kubernetes | 2026-04-15 | 4.4 Medium |
| Improper access control for some Device Plugins for Kubernetes software maintained by Intel before version 0.32.0 may allow a privileged user to potentially enable denial of service via local access. | ||||
| CVE-2024-31967 | 1 Mitel | 3 6800 Series Sip Phones, 6900 Series Sip Phones, 6970 Conference Unit | 2026-04-15 | 9.1 Critical |
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration. | ||||