Export limit exceeded: 351631 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11745 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11080 | 1 Zhuimengshaonian | 1 Wisdom-education | 2026-04-15 | 4.3 Medium |
| A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. This vulnerability affects the function selectStudentExamInfoList of the file src/main/java/com/education/api/controller/student/ExamInfoController.java. Such manipulation of the argument subjectId leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-13182 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator. | ||||
| CVE-2025-0914 | 2026-04-15 | 3.8 Low | ||
| An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4. | ||||
| CVE-2024-36080 | 1 Westernmo | 1 Edw 100 | 2026-04-15 | 9.8 Critical |
| Westermo EDW-100 devices through 2024-05-03 have a hidden root user account with a hardcoded password that cannot be changed. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. | ||||
| CVE-2025-69907 | 1 Newgensoft | 1 Omnidocs | 2026-04-15 | 7.5 High |
| An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. | ||||
| CVE-2025-29315 | 2026-04-15 | 9.8 Critical | ||
| An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request. | ||||
| CVE-2024-1610 | 2026-04-15 | 9.8 Critical | ||
| In OPPO Store APP, there's a possible escalation of privilege due to improper input validation. | ||||
| CVE-2024-36108 | 2026-04-15 | 9.8 Critical | ||
| casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-29266 | 2026-04-15 | 9.6 Critical | ||
| Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled. | ||||
| CVE-2025-29270 | 1 Deep Sea Electronics | 1 Dse855 | 2026-04-15 | 10 Critical |
| Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device. | ||||
| CVE-2025-3580 | 1 Grafana | 1 Grafana | 2026-04-15 | 5.5 Medium |
| An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | ||||
| CVE-2024-36062 | 2026-04-15 | 4 Medium | ||
| The com.callassistant.android (aka AI Call Assistant & Screener) application 1.174 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.callassistant.android.ui.call.incall.InCallActivity component. | ||||
| CVE-2022-4001 | 1 Motorola | 1 Q14 Mesh Router Firmware | 2026-04-15 | 7.3 High |
| An authentication bypass vulnerability could allow an attacker to access API functions without authentication. | ||||
| CVE-2025-2492 | 2026-04-15 | N/A | ||
| An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. | ||||
| CVE-2024-35228 | 1 Wagtail | 1 Wagtail | 2026-04-15 | 5.5 Medium |
| Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability in `ModelViewSet` by registering the model as a snippet instead. No workaround is available for `wagtail.contrib.settings`. | ||||
| CVE-2025-2686 | 2026-04-15 | 6.5 Medium | ||
| A vulnerability has been found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. Affected by this vulnerability is the function doFilter of the file /admin/ of the component Backend. The manipulation of the argument Request leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-34524 | 1 Xlang | 1 Open Agents | 2026-04-15 | 9.1 Critical |
| In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | ||||
| CVE-2024-10620 | 1 Knightliao | 1 Disconf | 2026-04-15 | 5.3 Medium |
| A vulnerability was found in knightliao Disconf 2.6.36. It has been classified as critical. This affects an unknown part of the file /api/config/list of the component Configuration Center. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-43698 | 2026-04-15 | 9.1 Critical | ||
| Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025 | ||||
| CVE-2025-57197 | 2 Google, Payeer | 2 Android, Payeer App | 2026-04-15 | 6 Medium |
| In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN verification check and directly modify the authentication PIN. This allows unauthorized users to change PIN without knowing the original/current PIN. | ||||