Export limit exceeded: 348079 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348079 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40155 | 2026-04-15 | 6.7 Medium | ||
| Uncontrolled search path for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-40148 | 2026-04-15 | 6.5 Medium | ||
| Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests. | ||||
| CVE-2025-66161 | 2 Merkulove, Wordpress | 2 Grider For Elementor, Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Grider for Elementor grider-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grider for Elementor: from n/a through <= 1.0.8. | ||||
| CVE-2023-34049 | 1 Salt Project | 1 Salt | 2026-04-15 | 6.7 Medium |
| The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails. | ||||
| CVE-2023-39933 | 2026-04-15 | 4.3 Medium | ||
| Insufficient verification vulnerability exists in Broadcast Mail CGI (pmc.exe) included in A.K.I Software's PMailServer/PMailServer2 products. If this vulnerability is exploited, a user who can upload files through the product may execute an arbitrary executable file with the web server's execution privilege. | ||||
| CVE-2023-39929 | 2026-04-15 | 6.7 Medium | ||
| Uncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-3943 | 2026-04-15 | 10 Critical | ||
| Stack-based Buffer Overflow vulnerability in ZkTeco-based OEM devices allows, in some cases, the execution of arbitrary code. Due to the lack of protection mechanisms such as stack canaries and PIE, it is possible to successfully execute code even under restrictive conditions. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2023-3941 | 2026-04-15 | 10 Critical | ||
| Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2023-3939 | 2026-04-15 | 10 Critical | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in ZkTeco-based OEM devices allows OS Command Injection. Since all the found command implementations are executed from the superuser, their impact is the maximum possible. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other. | ||||
| CVE-2023-3938 | 2026-04-15 | 4.6 Medium | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZkTeco-based OEM devices allows an attacker to authenticate under any user from the device database. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2023-39368 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 6.5 Medium |
| Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access. | ||||
| CVE-2023-39161 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Discussion Board Discussion Board allows Content Spoofing, Cross-Site Scripting (XSS).This issue affects Discussion Board: from n/a through 2.4.8. | ||||
| CVE-2023-38302 | 2026-04-15 | 4.3 Medium | ||
| A certain software build for the Sharp Rouvo V device (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys) leaks the Wi-Fi MAC address and the Bluetooth MAC address to system properties that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in this instance they are leaked by a high-privilege process and can be obtained indirectly. This malicious app reads from the "ro.boot.wifi_mac" system property to indirectly obtain the Wi-Fi MAC address and reads the "ro.boot.bt_mac" system property to obtain the Bluetooth MAC address. | ||||
| CVE-2024-12219 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-56017 is likely a duplicate of this issue. | ||||
| CVE-2023-38299 | 2026-04-15 | 5.5 Medium | ||
| Various software builds for the AT&T Calypso, Nokia C100, Nokia C200, and BLU View 3 devices leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: AT&T Calypso (ATT/U318AA/U318AA:10/QP1A.190711.020/1632369780:user/release-keys); Nokia C100 (Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_190:user/release-keys and Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_270:user/release-keys); Nokia C200 (Nokia/Drake_02US/DRK:12/SP1A.210812.016/02US_1_080:user/release-keys); and BLU View 3 (BLU/B140DL/B140DL:11/RP1A.200720.011/1628014629:user/release-keys, BLU/B140DL/B140DL:11/RP1A.200720.011/1632535579:user/release-keys, BLU/B140DL/B140DL:11/RP1A.200720.011/1637325978:user/release-keys, BLU/B140DL/B140DL:11/RP1A.200720.011/1650073052:user/release-keys, BLU/B140DL/B140DL:11/RP1A.200720.011/1657087912:user/release-keys, BLU/B140DL/B140DL:11/RP1A.200720.011/1666316280:user/release-keys, and BLU/B140DL/B140DL:11/RP1A.200720.011/1672371162:user/release-keys). This malicious app reads from the "persist.sys.imei1" system property to indirectly obtain the device IMEI. | ||||
| CVE-2023-38298 | 2026-04-15 | 8.8 High | ||
| Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys); TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys); TCL 20XE (TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB7I-0:user/release-keys and TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB83-0:user/release-keys); and TCL 10L (TCL/T770B/T1_LITE:10/QKQ1.200329.002/3CJ0:user/release-keys and TCL/T770B/T1_LITE:11/RKQ1.210107.001/8BIC:user/release-keys). This malicious app reads from the "gsm.device.imei0" system property to indirectly obtain the device IMEI. | ||||
| CVE-2023-38295 | 2026-04-15 | 7.8 High | ||
| Certain software builds for the TCL 30Z and TCL 10 Android devices contain a vulnerable, pre-installed app that relies on a missing permission that provides no protection at runtime. The missing permission is required as an access permission by components in various pre-installed apps. On the TCL 30Z device, the vulnerable app has a package name of com.tcl.screenrecorder (versionCode='1221092802', versionName='v5.2120.02.12008.1.T' ; versionCode='1221092805', versionName='v5.2120.02.12008.2.T'). On the TCL 10L device, the vulnerable app has a package name of com.tcl.sos (versionCode='2020102827', versionName='v3.2014.12.1012.B'). When a third-party app declares and requests the missing permission, it can interact with certain service components in the aforementioned apps (that execute with "system" privileges) to perform arbitrary files reads/writes in its context. An app exploiting this vulnerability only needs to declare and request the single missing permission and no user interaction is required beyond installing and running a third-party app. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 10L (TCL/T770B/T1_LITE:11/RKQ1.210107.001/8BIC:user/release-keys) and TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys). This malicious app declares the missing permission named com.tct.smart.switchphone.permission.SWITCH_DATA as a normal permission, requests the missing permission, and uses it to interact with the com.tct.smart.switchdata.DataService service component that is declared in vulnerable apps that execute with "system" privileges to perform arbitrary file reads/writes. | ||||
| CVE-2024-27176 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 7.2 High |
| An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying session ID variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2023-38293 | 2026-04-15 | 7.3 High | ||
| Certain software builds for the Nokia C200 and Nokia C100 Android devices contain a vulnerable, pre-installed app with a package name of com.tracfone.tfstatus (versionCode='31', versionName='12') that allows local third-party apps to execute arbitrary AT commands in its context (radio user) via AT command injection due to inadequate access control and inadequate input filtering. No permissions or special privileges are necessary to exploit the vulnerability in the com.tracfone.tfstatus app. No user interaction is required beyond installing and running a third-party app. The software build fingerprints for each confirmed vulnerable device are as follows: Nokia C200 (Nokia/Drake_02US/DRK:12/SP1A.210812.016/02US_1_080:user/release-keys and Nokia/Drake_02US/DRK:12/SP1A.210812.016/02US_1_040:user/release-keys) and Nokia C100 (Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_270:user/release-keys, Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_190:user/release-keys, Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_130:user/release-keys, Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_110:user/release-keys, Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_080:user/release-keys, and Nokia/DrakeLite_02US/DKT:12/SP1A.210812.016/02US_1_050:user/release-keys). This malicious app sends a broadcast Intent to the receiver component named com.tracfone.tfstatus/.TFStatus. This broadcast receiver extracts a string from the Intent and uses it as an extra when it starts the com.tracfone.tfstatus/.TFStatusActivity activity component which uses the externally controlled string as an input to execute an AT command. There are two different injection techniques to successfully inject arbitrary AT commands to execute. | ||||
| CVE-2024-27174 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 9.8 Critical |
| Remote Command program allows an attacker to get Remote Code Execution. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL. | ||||