Export limit exceeded: 366134 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (5689 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-45489 1 The Browser Company 1 Arc 2026-04-15 9.8 Critical
Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users.
CVE-2024-53494 2026-04-15 7.5 High
Incorrect access control in the preHandle function of SpringBootBlog v1.0.0 allows attackers to access sensitive components without authentication.
CVE-2024-9692 1 Vimesa 1 Vhf\/fm Transmitter Blue Plus 2026-04-15 N/A
VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.
CVE-2025-25730 2026-04-15 4.6 Medium
An issue in Motorola Mobility Droid Razr HD (Model XT926) System Version: 9.18.94.XT926.Verizon.en.US allows physically proximate unauthorized attackers to access USB debugging, leading to control of the host device itself.
CVE-2024-50945 2026-04-15 7.5 High
An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.
CVE-2025-61116 2 Google, Scriptsbundle 2 Android, Adforest 2026-04-15 7.5 High
AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform.
CVE-2025-55012 1 Zed-industries 1 Zed 2026-04-15 N/A
Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access.
CVE-2026-5863 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-25176 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-14 7.8 High
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-24290 1 Microsoft 22 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 19 more 2026-04-14 7.8 High
Improper access control in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-23660 1 Microsoft 3 Azure Portal Windows Admin Center, Windows Admin Center, Windows Admin Center In Azure Portal 2026-04-14 7.8 High
Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
CVE-2026-21262 1 Microsoft 15 Microsoft Sql Server 2016 Service Pack 3 (gdr), Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack, Microsoft Sql Server 2017 (cu 31) and 12 more 2026-04-14 8.8 High
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-31150 1 Kaleris 2 Yard Management Solutions, Yms 2026-04-13 4.3 Medium
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.
CVE-2025-56015 1 Genieacs 1 Genieacs 2026-04-13 7.5 High
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
CVE-2026-39339 1 Churchcrm 1 Churchcrm 2026-04-13 9.1 Critical
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
CVE-2026-33415 1 Discourse 1 Discourse 2026-04-10 4.3 Medium
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVE-2026-23899 1 Joomla 2 Joomla!, Joomla\! 2026-04-10 8.8 High
An improper access check allows unauthorized access to webservice endpoints.
CVE-2026-21629 1 Joomla 2 Joomla!, Joomla\! 2026-04-10 7.3 High
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
CVE-2026-39346 1 Orangehrm 1 Orangehrm 2026-04-10 6.5 Medium
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1.
CVE-2025-3783 1 Senior-walter 1 Web-based Pharmacy Product Management System 2026-04-09 6.3 Medium
A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-product.php. The manipulation of the argument Avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.