Total
2817 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43251 | 1 Apple | 2 Macos, Macos Sequoia | 2026-04-02 | 5.5 Medium |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items. | ||||
| CVE-2024-54495 | 1 Apple | 1 Macos | 2026-04-02 | 5.5 Medium |
| The issue was addressed with improved permissions logic. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to modify protected parts of the file system. | ||||
| CVE-2025-24141 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 3.3 Low |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked. | ||||
| CVE-2024-44162 | 1 Apple | 1 Xcode | 2026-04-02 | 7.8 High |
| This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items. | ||||
| CVE-2024-40770 | 1 Apple | 1 Macos | 2026-04-02 | 7.5 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings. | ||||
| CVE-2025-31227 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 4.6 Medium |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to access a deleted call recording. | ||||
| CVE-2024-40843 | 1 Apple | 1 Macos | 2026-04-02 | 5.5 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to modify protected parts of the file system. | ||||
| CVE-2024-44136 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 9.1 Critical |
| This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection. | ||||
| CVE-2025-43459 | 1 Apple | 1 Watchos | 2026-04-02 | 4.6 Medium |
| An authentication issue was addressed with improved state management. This issue is fixed in watchOS 26.1. An attacker with physical access to a locked Apple Watch may be able to view Live Voicemail. | ||||
| CVE-2025-30469 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 2.4 Low |
| This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4. A person with physical access to an iOS device may be able to access photos from the lock screen. | ||||
| CVE-2025-31254 | 1 Apple | 5 Ios, Ipad Os, Ipados and 2 more | 2026-04-02 | 5.4 Medium |
| This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection. | ||||
| CVE-2025-43307 | 1 Apple | 1 Macos | 2026-04-02 | 4 Medium |
| This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | ||||
| CVE-2026-33576 | 1 Openclaw | 1 Openclaw | 2026-04-02 | 6.5 Medium |
| OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected. | ||||
| CVE-2026-33578 | 1 Openclaw | 1 Openclaw | 2026-04-02 | 4.3 Medium |
| OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions. | ||||
| CVE-2026-33577 | 1 Openclaw | 1 Openclaw | 2026-04-02 | 8.1 High |
| OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level. | ||||
| CVE-2026-3210 | 2 Drupal, Imagexmedia | 2 Material Icons, Material Icons | 2026-04-02 | 5.3 Medium |
| Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4. | ||||
| CVE-2026-33726 | 1 Cilium | 1 Cilium | 2026-04-02 | 5.4 Medium |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers. | ||||
| CVE-2026-0562 | 2 Lollms, Parisneo | 2 Lollms, Parisneo/lollms | 2026-04-02 | 8.3 High |
| A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0. | ||||
| CVE-2026-34506 | 1 Openclaw | 1 Openclaw | 2026-04-01 | 4.3 Medium |
| OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes. | ||||
| CVE-2024-50419 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2026-04-01 | 9.8 Critical |
| Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 9.7. | ||||