Export limit exceeded: 47085 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12000 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12000 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59364 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2026-04-15 | 5.3 Medium |
| The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body. | ||||
| CVE-2024-32512 | 2026-04-15 | 5.3 Medium | ||
| Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20. | ||||
| CVE-2025-22227 | 2026-04-15 | 6.1 Medium | ||
| In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. | ||||
| CVE-2024-2261 | 2026-04-15 | 4.3 Medium | ||
| The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses. | ||||
| CVE-2024-46528 | 1 Kubesphere | 1 Kubesphere | 2026-04-15 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere 4.x before 4.1.3 and 3.x through 3.4.1 and KubeSphere Enterprise 4.x before 4.1.3 and 3.x through 3.5.0 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks. | ||||
| CVE-2024-35229 | 1 Matter-labs | 1 Era-compiler-solidity | 2026-04-15 | 5.3 Medium |
| ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to version 1.3.10, there is a very specific pattern `f(a(),b()); check_if_a_executed_last()` in Yul that exposes a bug in evaluation order of Yul function arguments. This vulnerability has been fixed in version 1.3.10. As a workaround, update and redeploy affected contracts. | ||||
| CVE-2025-60511 | 1 Moodle | 1 Moodle | 2026-04-15 | 4.3 Medium |
| Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources. | ||||
| CVE-2025-25497 | 2026-04-15 | 8.1 High | ||
| An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership reassignment to or away from any user. | ||||
| CVE-2025-41116 | 1 Grafana | 1 Grafana | 2026-04-15 | N/A |
| When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0 | ||||
| CVE-2025-32942 | 1 Ssh | 1 Tectia Server | 2026-04-15 | 7.2 High |
| SSH Tectia Server before 6.6.6 sometimes allows attackers to read and alter a user's session traffic. | ||||
| CVE-2024-37018 | 1 Linuxfoundation | 1 Opendaylight | 2026-04-15 | 9.1 Critical |
| The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets. | ||||
| CVE-2024-35220 | 2026-04-15 | 7.4 High | ||
| @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. | ||||
| CVE-2025-3047 | 2026-04-15 | 6.5 Medium | ||
| When running the AWS Serverless Application Model Command Line Interface (SAM CLI) build process with Docker and symlinks are included in the build files, the container environment allows a user to access privileged files on the host by leveraging the elevated permissions granted to the tool. A user could leverage the elevated permissions to access restricted files via symlinks and copy them to a more permissive location on the container. Users should upgrade to v1.133.0 or newer and ensure any forked or derivative code is patched to incorporate the new fixes. | ||||
| CVE-2025-58627 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | ||||
| CVE-2024-6125 | 2026-04-15 | 8.1 High | ||
| The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code. | ||||
| CVE-2024-6079 | 1 Rockwellautomation | 1 Emulate3d | 2026-04-15 | N/A |
| A vulnerability exists in the Rockwell Automation Emulate3D™, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack. | ||||
| CVE-2024-46326 | 1 Pkp | 1 Pkb-lib | 2026-04-15 | 6.1 Medium |
| Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function. | ||||
| CVE-2025-59692 | 2 Linux, Purevpn | 2 Linux, Purevpn | 2026-04-15 | 3.7 Low |
| PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system's existing iptables rules and apply default ACCEPT policies when connecting to a VPN server. This removes firewall rules that may have been configured manually or by other software (e.g., UFW, container engines, or system security policies). Upon VPN disconnect, the original firewall state is not restored. As a result, the system may become unintentionally exposed to network traffic that was previously blocked. This affects CLI 2.0.1 and GUI 2.10.0. | ||||
| CVE-2025-4338 | 2026-04-15 | 6.8 Medium | ||
| Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application. | ||||
| CVE-2025-0325 | 2026-04-15 | 4.3 Medium | ||
| A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device. | ||||