Total
2155 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25241 | 1 Microsoft | 1 Vpn Browser+ | 2026-04-07 | 7.5 High |
| VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application. | ||||
| CVE-2018-25246 | 1 Wikipedia | 1 Wikipedia | 2026-04-07 | 7.5 High |
| Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of repeated characters into the search bar to trigger an application crash. | ||||
| CVE-2026-0545 | 1 Mlflow | 1 Mlflow | 2026-04-07 | N/A |
| In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results. | ||||
| CVE-2019-25678 | 1 C4g | 1 Basic Laboratory Information System | 2026-04-07 | 8.2 High |
| C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the site parameter. Attackers can send GET requests to the users_select.php endpoint with crafted SQL payloads to extract sensitive database information including patient records and system credentials. | ||||
| CVE-2019-25686 | 1 Coreftp | 1 Core Ftp | 2026-04-07 | 7.5 High |
| Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process. | ||||
| CVE-2026-35450 | 1 Wwbn | 1 Avideo | 2026-04-07 | 5.3 Medium |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin(). | ||||
| CVE-2026-5676 | 1 Totolink | 1 A8000r | 2026-04-07 | 7.3 High |
| A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-33951 | 1 Signalk | 2 Signal K Server, Signalk-server | 2026-04-07 | 7.5 High |
| Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1. | ||||
| CVE-2026-35388 | 1 Openbsd | 1 Openssh | 2026-04-07 | 2.5 Low |
| OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. | ||||
| CVE-2026-34758 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2026-04-07 | 9.1 Critical |
| OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42. | ||||
| CVE-2026-5616 | 1 Jeecg | 1 Jeecgboot | 2026-04-07 | 7.3 High |
| A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release. | ||||
| CVE-2026-5632 | 2026-04-06 | 7.3 High | ||
| A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-4272 | 2026-04-06 | 8.1 High | ||
| Missing Authentication for Critical Function vulnerability in Honeywell Handheld Scanners allows Authentication Abuse.This issue affects Handheld Scanners: from C1 Base(Ingenic x1000) before GK000432BAA, from D1 Base(Ingenic x1600) before HE000085BAA, from A1/B1 Base(IMX25) before BK000763BAA_BK000765BAA_CU000101BAA. This vulnerability could allow a remote attacker within Bluetooth range of the scanner's base station has the capability to remotely execute system commands on the host connected to the base station without authentication. This issue has been assigned CVE-2026-4272 https://nvd.nist.gov/vuln/detail/CVE-2026-4272 and rated with a severity of High. Honeywell strongly recommends that users upgrade to the latest version identified to resolve the vulnerability. | ||||
| CVE-2025-15620 | 1 Belden | 1 Hirschmann Hios Switch Platform | 2026-04-03 | 9.3 Critical |
| HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch. | ||||
| CVE-2025-14300 | 1 Tp-link | 4 Tapo, Tapo C200, Tapo C200 Firmware and 1 more | 2026-04-03 | 8.1 High |
| The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS). | ||||
| CVE-2026-34227 | 1 Bishopfox | 1 Sliver | 2026-04-03 | 8.8 High |
| Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, ntds.dit) or destroying the entire compromised infrastructure, entirely through the operator's own browser. This issue has been patched in version 1.7.4. | ||||
| CVE-2026-34072 | 1 Fccview | 1 Cronmaster | 2026-04-03 | 8.3 High |
| Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-21767 | 1 Hcltech | 1 Bigfix Platform | 2026-04-03 | 4 Medium |
| HCL BigFix Platform is affected by insufficient authentication. The application might allow users to access sensitive areas of the application without proper authentication. | ||||
| CVE-2026-29132 | 1 Seppmail | 1 Seppmail Secure Email Gateway | 2026-04-03 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails. | ||||
| CVE-2026-3207 | 1 Tibco | 1 Bpm Enterprise | 2026-04-03 | 9.8 Critical |
| Configuration issue in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access. | ||||