Export limit exceeded: 357649 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12135 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12135 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7742 | 2026-04-15 | N/A | ||
| An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level. | ||||
| CVE-2024-33898 | 1 Axiros | 1 Axess | 2026-04-15 | 9.8 Critical |
| Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution. | ||||
| CVE-2024-34022 | 1 Intel | 1 Thunderbolt Share Software | 2026-04-15 | 6.7 Medium |
| Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-34404 | 1 Veritas | 2 Netbackup, Netbackup Appliance | 2026-04-15 | 6.8 Medium |
| A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. By design, only the cloud administrator should be able to disable the retention lock of Governance mode images. This vulnerability allowed a NetBackup administrator to modify the expiration of backups under Governance mode (which could cause premature deletion). | ||||
| CVE-2024-56898 | 2026-04-15 | 8.8 High | ||
| Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts. | ||||
| CVE-2024-34463 | 1 Bpl | 1 Pws-01-bt | 2026-04-15 | 5.1 Medium |
| BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.) | ||||
| CVE-2024-34519 | 2026-04-15 | 6.8 Medium | ||
| Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its auto-login user has privileges that a dashboard visitor should not have. | ||||
| CVE-2024-34524 | 1 Xlang | 1 Open Agents | 2026-04-15 | 9.1 Critical |
| In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | ||||
| CVE-2024-6727 | 2026-04-15 | 5.4 Medium | ||
| A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | ||||
| CVE-2024-36293 | 2026-04-15 | 6.5 Medium | ||
| Improper access control in the EDECCSSA user leaf function for some Intel(R) Processors with Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2024-36438 | 1 Elinksmart | 1 Smart Cabinet Lock | 2026-04-15 | 7.3 High |
| eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks. | ||||
| CVE-2024-43705 | 2026-04-15 | 7.8 High | ||
| Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory. | ||||
| CVE-2024-37233 | 2026-04-15 | 4.3 Medium | ||
| Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4. | ||||
| CVE-2024-37893 | 1 Firefly-iii | 1 Firefly Iii | 2026-04-15 | 5.9 Medium |
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | ||||
| CVE-2024-37897 | 2026-04-15 | 5.4 Medium | ||
| SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability. | ||||
| CVE-2024-38518 | 1 Bigbluebutton | 1 Bigbluebutton | 2026-04-15 | 4.6 Medium |
| BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7. | ||||
| CVE-2024-38523 | 2026-04-15 | 7.5 High | ||
| Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10. | ||||
| CVE-2024-39309 | 1 Parse Community | 1 Parse Server | 2026-04-15 | 9.8 Critical |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. | ||||
| CVE-2024-39327 | 2026-04-15 | 9.9 Critical | ||
| Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way. | ||||
| CVE-2024-39340 | 1 Securepoint | 1 Unified Threat Management | 2026-04-15 | 8.8 High |
| The authentication system of Securepoint UTM mishandles OTP keys. This allows the bypassing of second-factor verification (when OTP is enabled) in both the administration web interface and the user portal. Affected versions include UTM 11.5 through 12.6.4 and Reseller Preview 12.7.0. The issue has been fixed in UTM 12.6.5 and 12.7.1. | ||||