Export limit exceeded: 347773 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (347773 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5740 | 2026-04-15 | 7.2 High | ||
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an authenticated user on the web server manipulates file path. | ||||
| CVE-2023-48361 | 2026-04-15 | 2.3 Low | ||
| Improper initialization in firmware for some Intel(R) CSME may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2025-57443 | 2 Apple, Frostwire | 2 Macos, Frostwire | 2026-04-15 | 5.1 Medium |
| FrostWire 6.14.0-build-326 for macOS contains permissive entitlements (allow-dyld-environment-variables, disable-library-validation) that allow unprivileged local attackers to inject code into the FrostWire process via the DYLD_INSERT_LIBRARIES environment variable. This allows escalated privileges to arbitrary TCC-approved directories. | ||||
| CVE-2025-57457 | 1 Curo | 1 Uc300 | 2026-04-15 | 8.8 High |
| An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter. | ||||
| CVE-2025-0500 | 2026-04-15 | 7.5 High | ||
| An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle. | ||||
| CVE-2023-53946 | 1 Arcsoft | 1 Photostudio | 2026-04-15 | 8.4 High |
| Arcsoft PhotoStudio 6.0.0.172 contains an unquoted service path vulnerability in the ArcSoft Exchange Service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions. | ||||
| CVE-2023-53947 | 1 Ocsinventory-ng | 2 Ocs Inventory Ng, Ocsinventory Ng | 2026-04-15 | 8.4 High |
| OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges. | ||||
| CVE-2023-53948 | 1 Cat03 | 1 Lilac-reloaded | 2026-04-15 | 9.8 Critical |
| Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint. | ||||
| CVE-2023-53949 | 1 Aspemail | 1 Aspemail | 2026-04-15 | 8.4 High |
| AspEmail 5.6.0.2 contains a binary permission vulnerability that allows local users to escalate privileges through the Persits Software EmailAgent service. Attackers can exploit full write permissions in the BIN directory to replace the service executable and gain elevated system access. | ||||
| CVE-2023-53950 | 1 Innovastudio | 1 Wysiwyg Editor | 2026-04-15 | 9.8 Critical |
| InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | ||||
| CVE-2023-53954 | 1 Actfax | 1 Actfax | 2026-04-15 | 6.2 Medium |
| ActFax 10.10 contains an unquoted service path vulnerability that allows local attackers to potentially escalate privileges by exploiting the ActiveFaxServiceNT service configuration. Attackers with write permissions to Program Files directories can inject a malicious ActSrvNT.exe executable to gain elevated system access when the service restarts. | ||||
| CVE-2024-6661 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The ParityPress – Parity Pricing with Discount Rules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Discount Text' in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2023-53956 | 1 Flatnux | 1 Flatnux | 2026-04-15 | 8.8 High |
| Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | ||||
| CVE-2023-53958 | 1 Ltb-project | 1 Ldap Tool Box Self Service Password | 2026-04-15 | 7.5 High |
| LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens. | ||||
| CVE-2024-7137 | 2026-04-15 | 6.5 Medium | ||
| The L2CAP receive data buffer for L2CAP packets is restricted to packet sizes smaller than the maximum supported packet size. Receiving a packet that exceeds the restricted buffer length may cause a crash. A hard reset is required to recover the crashed device. | ||||
| CVE-2025-57563 | 1 Starnet | 1 Fastx | 2026-04-15 | 6.5 Medium |
| A path traversal in StarNet Communications Corporation FastX v.4 through v4.1.51 allows unauthenticated attackers to read arbitrary files. | ||||
| CVE-2025-57567 | 1 Pluxml | 1 Pluxml | 2026-04-15 | 9.1 Critical |
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | ||||
| CVE-2025-64385 | 1 Circutor | 1 Tcprs1plus | 2026-04-15 | N/A |
| The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software. Using the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication. | ||||
| CVE-2025-64387 | 1 Circutor | 1 Tcprs1plus | 2026-04-15 | N/A |
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | ||||
| CVE-2025-64389 | 1 Circutor | 1 Tcprs1plus | 2026-04-15 | N/A |
| The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol. | ||||