Export limit exceeded: 362454 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (4502 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2009-3923 1 Sun 2 Virtual Desktop Infrastructure, Virtualbox 2026-04-23 N/A
The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop Infrastructure (VDI) 3.0 does not require authentication, which allows remote attackers to obtain unspecified access via vectors involving requests to an Apache HTTP Server.
CVE-2008-4244 1 Rianxosencabos Cms 1 Rianxosencabos Cms 2026-04-23 N/A
Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1.
CVE-2008-0926 1 Novell 1 Edirectory 2026-04-23 N/A
The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 and earlier, and 8.8.x before 8.8.2, relies on client-side authentication, which allows remote attackers to bypass authentication via requests for /SOAP URIs, and cause a denial of service (daemon shutdown) or read arbitrary files. NOTE: it was later reported that 8.7.3.10 (aka 8.7.3 SP10) is also affected.
CVE-2008-4427 1 Phlatline 1 Personal Information Manager 2026-04-23 N/A
changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.
CVE-2007-2719 1 Hp 1 Systems Insight Manager 2026-04-23 N/A
Session fixation vulnerability in HP Systems Insight Manager (SIM) 4.2 and 5.0 SP4 and SP5 allows remote attackers to hijack web sessions by setting the JSESSIONID cookie.
CVE-2008-4752 1 Tech Logic 1 Tlnews 2026-04-23 N/A
TlNews 2.2 allows remote attackers to bypass authentication and gain administrative access by setting the tlNews_login cookie to admin.
CVE-2025-10293 2 Nexist, Wordpress 2 Keyy Two Factor Authentication, Wordpress 2026-04-22 8.8 High
The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up.
CVE-2026-4187 1 Tiandy 1 Easy7 Integrated Management Platform 2026-04-22 5.3 Medium
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2991 2 Iqonicdesign, Wordpress 2 Kivicare – Clinic & Patient Management System (ehr), Wordpress 2026-04-22 7.3 High
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.
CVE-2026-4476 1 Yitechnology 1 Yi Home Camera 2026-04-22 6.3 Medium
A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4349 1 Duende 1 Identityserver 2026-04-22 5.6 Medium
A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2026-0953 2 Themeum, Wordpress 2 Tutor Lms, Wordpress 2026-04-22 9.8 Critical
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
CVE-2026-3739 1 Suitenumerique 1 Messages 2026-04-22 6.3 Medium
A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.3.0 is capable of addressing this issue. The patch is identified as d7729f4b885449f6dee3faf8b5f2a05769fb3d6e. The affected component should be upgraded.
CVE-2026-40946 1 Oxia-db 1 Oxia 2026-04-22 N/A
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
CVE-2026-6635 1 Rowboatlabs 1 Rowboat 2026-04-22 7.3 High
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6588 1 Serge-chat 1 Serge 2026-04-22 6.5 Medium
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6569 1 Kodcloud 1 Kodexplorer 2026-04-22 7.3 High
A vulnerability was identified in kodcloud KodExplorer up to 4.52. This impacts the function fileGet of the file /app/controller/share.class.php of the component fileGet Endpoint. Such manipulation of the argument fileUrl leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6579 1 Liangliangyy 1 Djangoblog 2026-04-22 6.5 Medium
A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6577 1 Liangliangyy 1 Djangoblog 2026-04-22 7.3 High
A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6582 2 Superagi, Transformeroptimus 2 Superagi, Superagi 2026-04-22 7.3 High
A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.