Export limit exceeded: 11654 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11654 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-43256 2026-04-15 7.1 High
Missing Authorization vulnerability in nouthemes Leopard - WordPress offload media allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Leopard - WordPress offload media: from n/a through 2.0.36.
CVE-2024-43268 2 Wordpress, Wpbackitup 2 Wordpress, Backup And Restore Wordpress 2026-04-15 5.4 Medium
Access Control vulnerability in WPBackItUp Backup and Restore WordPress allows . This issue affects Backup and Restore WordPress: from n/a through 1.50.
CVE-2024-43273 1 Icegram 1 Icegram Collect 2026-04-15 5.4 Medium
Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect plugin: from n/a through 1.3.14.
CVE-2024-43285 1 Wordpress 1 Wordpress 2026-04-15 6.3 Medium
Missing Authorization vulnerability in Presto Made, Inc Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Presto Player: from n/a through 3.0.2.
CVE-2025-3746 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
CVE-2024-48548 1 Cloud Smart Lock 1 Cloud Smart Lock Firmware 2026-04-15 9.3 Critical
The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack.
CVE-2024-48541 1 Ruochan 1 Smart Firmware 2026-04-15 8.4 High
Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVE-2024-48538 1 Netdvr 1 Neye3c 2026-04-15 9.8 Critical
Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVE-2023-25189 2026-04-15 3.3 Low
BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the access privileges, having a possibility to read BTS service operation details performed by Nokia Care service personnel via SSH.
CVE-2024-47585 2026-04-15 4.3 Medium
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the application and may have only a low impact on data confidentiality.
CVE-2025-4975 2026-04-15 N/A
When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.
CVE-2025-12041 2 Apos37, Wordpress 2 Eri File Library, Wordpress 2026-04-15 5.3 Medium
The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.
CVE-2024-41617 1 Moneymanagerex 1 Money Manager Ex Webapp 2026-04-15 9.8 Critical
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution.
CVE-2025-9228 1 Mobile-industrial-robots 5 Mir100, Mir1000, Mir200 and 2 more 2026-04-15 4.3 Medium
MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.
CVE-2025-13472 1 Perforce 1 Blazemeter 2026-04-15 N/A
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.
CVE-2025-3953 2026-04-15 5.4 Medium
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
CVE-2025-12721 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server.
CVE-2024-32821 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in TotalSuite Total Poll Lite.This issue affects Total Poll Lite: from n/a through 4.9.9.
CVE-2023-4617 2026-04-15 10 Critical
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values.  This issue affects Govee Home applications on Android and iOS in versions before 5.9.
CVE-2025-46744 2026-04-15 2.7 Low
An authenticated administrator could modify the Created By username for a user account