Search Results (3243 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-24872 2026-04-15 4.3 Medium
The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.
CVE-2024-58260 2 Rancher, Suse 2 Rancher, Rancher 2026-04-15 7.6 High
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.
CVE-2024-11176 2026-04-15 N/A
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.
CVE-2023-25189 2026-04-15 3.3 Low
BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the access privileges, having a possibility to read BTS service operation details performed by Nokia Care service personnel via SSH.
CVE-2025-26850 1 Quest 1 Kace Systems Management Appliance 2026-04-15 9.3 Critical
The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.
CVE-2024-28394 1 Advancedplugins 1 Reportsstatistics 2026-04-15 9.8 Critical
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.
CVE-2024-48541 1 Ruochan 1 Smart Firmware 2026-04-15 8.4 High
Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVE-2024-48548 1 Cloud Smart Lock 1 Cloud Smart Lock Firmware 2026-04-15 9.3 Critical
The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack.
CVE-2025-3260 1 Grafana 1 Grafana 2026-04-15 8.3 High
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
CVE-2025-54596 2026-04-15 4.3 Medium
Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts.
CVE-2020-36948 1 Vestacp 2 Control Panel, Vesta Control Panel 2026-04-15 9.8 Critical
VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.
CVE-2024-3331 2026-04-15 6.8 Medium
Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability depends on the privileges of the user running the affected software..This issue affects Spotfire Enterprise Runtime for R - Server Edition: from 1.12.7 through 1.20.0; Spotfire Statistics Services: from 12.0.7 through 12.3.1, from 14.0.0 through 14.3.0; Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0.0 through 14.3.0; Spotfire Desktop: from 14.0 through 14.3.0; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0.0 through 14.3.0.
CVE-2025-8533 1 Flexibits 1 Fantastical 2026-04-15 N/A
A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16.
CVE-2025-41031 1 T-innova 1 Deporsite 2026-04-15 N/A
Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to change other users' profile pictures via a POST request using the parameters ‘IdPersona’ and “Foto” in ‘/ajax/TInnova_c/FotoUsuario/llamadaAjax/uploadImage’.
CVE-2024-2378 2026-04-15 8 High
A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations.
CVE-2024-28627 1 Flipsnack 1 Flipsnack 2026-04-15 7.5 High
An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file.
CVE-2025-27822 2026-04-15 7.5 High
An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.
CVE-2025-4975 2026-04-15 N/A
When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.
CVE-2025-20381 1 Splunk 1 Mcp Server 2026-04-15 5.4 Medium
In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions.
CVE-2025-11060 1 Redhat 1 Service Mesh 2026-04-15 5.7 Medium
A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.