Export limit exceeded: 45192 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12128 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12128 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-36293 | 2026-04-15 | 6.5 Medium | ||
| Improper access control in the EDECCSSA user leaf function for some Intel(R) Processors with Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2024-6727 | 2026-04-15 | 5.4 Medium | ||
| A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | ||||
| CVE-2024-33898 | 1 Axiros | 1 Axess | 2026-04-15 | 9.8 Critical |
| Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution. | ||||
| CVE-2024-32973 | 2026-04-15 | 4.8 Medium | ||
| Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected. This issue has been patched in pull request #851 which has been included in version 0.9.3. Users are advised to upgrade. there are no known workarounds for this vulnerability. | ||||
| CVE-2024-32969 | 1 Vantage6 | 1 Vantage6 | 2026-04-15 | 2.7 Low |
| vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know the passwords, and use that to read task results of other collaborations that that organization is involved in. This is only relatively trusted users - with access to manage a collaboration - are able to do this, which reduces the impact. This vulnerability was patched in version 4.5.0rc3. | ||||
| CVE-2024-3291 | 2026-04-15 | 7.8 High | ||
| When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | ||||
| CVE-2024-32881 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | 9.8 Critical |
| Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. | ||||
| CVE-2024-3289 | 1 Tenable | 1 Nessus | 2026-04-15 | 7.8 High |
| When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | ||||
| CVE-2024-32882 | 1 Wagtail | 1 Wagtail | 2026-04-15 | 2.7 Low |
| Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follows: 1.For models registered through `ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted fields in a separate settings model, and configure permission at the model level. | ||||
| CVE-2024-32044 | 1 Intel | 1 Arc Pro Graphics | 2026-04-15 | 6.8 Medium |
| Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. | ||||
| CVE-2024-32000 | 1 Matrix-org | 1 Matrix-appservice-irc | 2026-04-15 | 4.3 Medium |
| matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack, the malicious user needs to know the event ID of the message they want to leak, as well as to be joined to both the Matrix room and the IRC channel it is bridged to. The message reply containing the leaked message content is visible to IRC channel members when this happens. matrix-appservice-irc 2.0.0 checks whether the user has permission to view an event before constructing a reply. Administrators should upgrade to this version. It's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message. See these lines `601-604` in the configuration file linked. | ||||
| CVE-2024-31207 | 1 Vitejs | 1 Vite | 2026-04-15 | 5.9 Medium |
| Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. | ||||
| CVE-2024-3027 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-04-15 | 6.4 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks. | ||||
| CVE-2024-2973 | 2026-04-15 | 10 Critical | ||
| An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue affects: Session Smart Router: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. Session Smart Conductor: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. WAN Assurance Router: * 6.0 versions before 6.1.9-lts, * 6.2 versions before 6.2.5-sts. | ||||
| CVE-2024-26331 | 2026-04-15 | 7.5 High | ||
| ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value. | ||||
| CVE-2025-59100 | 1 Dormakaba | 1 Access Manager | 2026-04-15 | N/A |
| The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more. | ||||
| CVE-2024-23767 | 1 Hms-networks | 1 Anybus X-gateway Ab7832-f | 2026-04-15 | 8.8 High |
| An issue was discovered on HMS Anybus X-Gateway AB7832-F firmware version 3. The HICP protocol allows unauthenticated changes to a device's network configurations. | ||||
| CVE-2024-22830 | 1 Windows-kernel | 1 Ace-base-sys | 2026-04-15 | 5.3 Medium |
| Anti-Cheat Expert's Windows kernel module "ACE-BASE.sys" version 1.0.2202.6217 does not perform proper access control when handling system resources. This allows a local attacker to escalate privileges from regular user to System or PPL level. | ||||
| CVE-2024-21828 | 1 Intel | 2 Ethernet Adapter Complete Driver Pack, Ethernet Connections Boot Utility Preboot Images And Efi Drivers | 2026-04-15 | 6.7 Medium |
| Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-1853 | 1 Zemana | 1 Antilogger | 2026-04-15 | 5.5 Medium |
| Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers. | ||||