Export limit exceeded: 357521 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12126 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31964 | 1 Mitel | 3 6800 Series Sip Phones, 6900w Series Sip Phone, 6970 Conference Unit | 2026-04-15 | 7.5 High |
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication control. A successful exploit could allow an attacker to modify system configuration settings and potentially cause a denial of service. | ||||
| CVE-2024-31967 | 1 Mitel | 3 6800 Series Sip Phones, 6900 Series Sip Phones, 6970 Conference Unit | 2026-04-15 | 9.1 Critical |
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration. | ||||
| CVE-2024-32882 | 1 Wagtail | 1 Wagtail | 2026-04-15 | 2.7 Low |
| Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follows: 1.For models registered through `ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted fields in a separate settings model, and configure permission at the model level. | ||||
| CVE-2024-3289 | 1 Tenable | 1 Nessus | 2026-04-15 | 7.8 High |
| When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | ||||
| CVE-2024-32881 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | 9.8 Critical |
| Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. | ||||
| CVE-2024-3291 | 2026-04-15 | 7.8 High | ||
| When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | ||||
| CVE-2024-32969 | 1 Vantage6 | 1 Vantage6 | 2026-04-15 | 2.7 Low |
| vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know the passwords, and use that to read task results of other collaborations that that organization is involved in. This is only relatively trusted users - with access to manage a collaboration - are able to do this, which reduces the impact. This vulnerability was patched in version 4.5.0rc3. | ||||
| CVE-2024-32973 | 2026-04-15 | 4.8 Medium | ||
| Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected. This issue has been patched in pull request #851 which has been included in version 0.9.3. Users are advised to upgrade. there are no known workarounds for this vulnerability. | ||||
| CVE-2024-33610 | 2026-04-15 | 9.1 Critical | ||
| "sessionlist.html" and "sys_trayentryreboot.html" are accessible with no authentication. "sessionlist.html" provides logged-in users' session information including session cookies, and "sys_trayentryreboot.html" allows to reboot the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-33647 | 2026-04-15 | 6.5 Medium | ||
| A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The Apache Lucene based query engine in the affected application lacks proper access controls. This could allow an authenticated user to query items beyond the user's allowed projects. | ||||
| CVE-2024-3434 | 2026-04-15 | 5.4 Medium | ||
| A vulnerability classified as critical was found in CP Plus Wi-Fi Camera up to 20240401. Affected by this vulnerability is an unknown functionality of the component User Management. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259615. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-34404 | 1 Veritas | 2 Netbackup, Netbackup Appliance | 2026-04-15 | 6.8 Medium |
| A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. By design, only the cloud administrator should be able to disable the retention lock of Governance mode images. This vulnerability allowed a NetBackup administrator to modify the expiration of backups under Governance mode (which could cause premature deletion). | ||||
| CVE-2024-34463 | 1 Bpl | 1 Pws-01-bt | 2026-04-15 | 5.1 Medium |
| BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.) | ||||
| CVE-2024-34519 | 2026-04-15 | 6.8 Medium | ||
| Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its auto-login user has privileges that a dashboard visitor should not have. | ||||
| CVE-2024-34524 | 1 Xlang | 1 Open Agents | 2026-04-15 | 9.1 Critical |
| In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | ||||
| CVE-2024-6727 | 2026-04-15 | 5.4 Medium | ||
| A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | ||||
| CVE-2024-36293 | 2026-04-15 | 6.5 Medium | ||
| Improper access control in the EDECCSSA user leaf function for some Intel(R) Processors with Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2024-37386 | 1 Stormshield | 1 Stormshield Network Security | 2026-04-15 | 4.2 Medium |
| An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.2. | ||||
| CVE-2024-37408 | 2026-04-15 | 7.3 High | ||
| fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo. NOTE: the supplier disputes this because they believe issue resolution would involve modifying the PAM configuration to restrict pam_fprintd.so to front-ends that implement a proper attention mechanism, not modifying pam_fprintd.so or fprintd. | ||||
| CVE-2024-37575 | 2026-04-15 | 7.5 High | ||
| The Mister org.mistergroup.shouldianswer application 1.4.264 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the org.mistergroup.shouldianswer.ui.default_dialer.DefaultDialerActivity component. | ||||