Export limit exceeded: 346206 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346206 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55164 | 1 Content-security-policy-parser Project | 1 Content-security-policy-parser | 2026-04-15 | N/A |
| content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature. | ||||
| CVE-2025-49152 | 2026-04-15 | N/A | ||
| The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system. | ||||
| CVE-2025-54990 | 1 Xwiki | 1 Admin Tools | 2026-04-15 | 5.3 Medium |
| XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. This issue has been patched in version 1.1. A workaround involves setting the view rights for the AdminTools space to be only available for the XWikiAdminGroup. | ||||
| CVE-2025-48960 | 2026-04-15 | N/A | ||
| Weak server key used for TLS encryption. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938. | ||||
| CVE-2024-21532 | 1 Bahmutov | 1 Ggit | 2026-04-15 | 7.3 High |
| All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API. | ||||
| CVE-2025-54781 | 1 Himmelblau-idm | 1 Himmelblau | 2026-04-15 | 2.8 Low |
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaud_tasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the host's Intune compliance status, and may permit additional administrative operations for the Intune host device (though the API for these operations is undocumented). This is fixed in version 1.1.0. To workaround this issue, ensure that Himmelblau debugging is disabled. | ||||
| CVE-2025-54595 | 2026-04-15 | 7.3 High | ||
| Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. The PearcleanerHelper is a privileged helper tool bundled with the Pearcleaner application. It is registered and activated only after the user approves a system prompt to allow privileged operations. Upon approval, the helper is configured as a LaunchDaemon and runs with root privileges. In versions 4.4.0 through 4.5.1, the helper registers an XPC service (com.alienator88.Pearcleaner.PearcleanerHelper) and accepts unauthenticated connections from any local process. It exposes a method that executes arbitrary shell commands. This allows any local unprivileged user to escalate privileges to root once the helper is approved and active. This issue is fixed in version 4.5.2. | ||||
| CVE-2024-21531 | 1 Git | 1 Git-shallow-clone | 2026-04-15 | 5.3 Medium |
| All versions of the package git-shallow-clone are vulnerable to Command injection due to missing sanitization or mitigation flags in the process variable of the gitShallowClone function. | ||||
| CVE-2025-54590 | 2026-04-15 | N/A | ||
| webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with "localhost" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1. | ||||
| CVE-2024-11431 | 2026-04-15 | 6.4 Medium | ||
| The Ragic Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ragic' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-54167 | 1 Qnap | 1 Notification Center | 2026-04-15 | N/A |
| A cross-site scripting (XSS) vulnerability has been reported to affect Notification Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Notification Center 2.1.0.3443 and later Notification Center 1.9.2.3163 and later Notification Center 3.0.0.3466 and later | ||||
| CVE-2024-11202 | 2026-04-15 | 6.1 Medium | ||
| Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-57494 | 1 Neto | 1 Ecommerce Cms | 2026-04-15 | 6.5 Medium |
| Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter. | ||||
| CVE-2025-51986 | 2 Cwalter-at, Embedded-solutions | 2 Freemodbus, Freemodbus | 2026-04-15 | 7.5 High |
| An issue was discovered in the demo/LINUXTCP implementation of cwalter-at freemodbus v.2018-09-12 allowing attackers to reach an infinite loop via a crafted length value for a packet. | ||||
| CVE-2025-41647 | 2026-04-15 | 5.5 Medium | ||
| A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. | ||||
| CVE-2025-41421 | 2 Microsoft, Teamviewer | 6 Windows, Full Client, Host and 3 more | 2026-04-15 | 4.7 Medium |
| Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows — in versions prior to 15.70 of TeamViewer Remote and Tensor — allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information. | ||||
| CVE-2024-13887 | 2026-04-15 | 5.3 Medium | ||
| The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings. | ||||
| CVE-2025-40925 | 1 Starch | 1 Starch | 2026-04-15 | 9.1 Critical |
| Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. | ||||
| CVE-2025-53703 | 2026-04-15 | 7.5 High | ||
| DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers. | ||||
| CVE-2025-53692 | 1 Sitecore | 2 Experience Manager, Experience Platform | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4. | ||||