Search Results (3243 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-12149 1 Search-guard 1 Search Guard 2026-04-15 N/A
In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices.
CVE-2024-48792 1 Hideez 1 Com.hideez Firmware 2026-04-15 7.5 High
An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2025-46569 2026-04-15 8.1 High
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.
CVE-2025-52918 2026-04-15 5 Medium
Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.
CVE-2024-55579 2026-04-15 8.8 High
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February 2024 Patch 14, November 2023 Patch 16, August 2023 Patch 16, May 2023 Patch 18, and February 2023 Patch 15.
CVE-2025-54888 1 Fedify Project 1 Fedify 2026-04-15 N/A
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.
CVE-2025-48043 1 Ash-project 1 Ash 2026-04-15 N/A
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
CVE-2025-24500 1 Broadcom 1 Symantec Privileged Access Management 2026-04-15 N/A
The vulnerability allows an unauthenticated attacker to access information in PAM database.
CVE-2024-54124 1 Clickstudios 1 Passwordstate 2026-04-15 8.8 High
In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.
CVE-2024-48651 1 Proftpd 1 Proftpd 2026-04-15 7.5 High
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
CVE-2025-54596 2026-04-15 4.3 Medium
Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts.
CVE-2025-26850 1 Quest 1 Kace Systems Management Appliance 2026-04-15 9.3 Critical
The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.
CVE-2024-5539 1 Carrier 2 Automatedlogic Webctrl, I-vu 2026-04-15 N/A
The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.
CVE-2025-46834 2026-04-15 N/A
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
CVE-2025-41030 1 T-innova 1 Deporsite 2026-04-15 N/A
Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to obtain information from other users via GET ‘/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona’ using the ‘dni’ parameter.
CVE-2025-27512 2026-04-15 N/A
Zincati is an auto-update agent for Fedora CoreOS hosts. Zincati ships a polkit rule which allows the `zincati` system user to use the actions `org.projectatomic.rpmostree1.deploy` to deploy updates to the system and `org.projectatomic.rpmostree1.finalize-deployment` to reboot the system into the deployed update. Since Zincati v0.0.24, this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the `zincati` system user. In practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload. This primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket. The logic error is fixed in Zincati v0.0.30. A workaround is to manually add a following polkit rule, instructions for which are available in the GitHub Security Advisory.
CVE-2024-28394 1 Advancedplugins 1 Reportsstatistics 2026-04-15 9.8 Critical
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.
CVE-2024-28627 1 Flipsnack 1 Flipsnack 2026-04-15 7.5 High
An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file.
CVE-2025-65002 1 Fujitsu 1 Irmc 2026-04-15 7.5 High
Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
CVE-2025-29997 2026-04-15 N/A
This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts.