Export limit exceeded: 20762 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12138 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12138 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52338 | 2026-04-15 | 5.3 Medium | ||
| An issue in the default configuration of the password reset function in LogicData eCommerce Framework v5.0.9.7000 allows attackers to bypass authentication and compromise user accounts via a bruteforce attack. | ||||
| CVE-2025-1646 | 2026-04-15 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-20159 | 1 Cisco | 1 Ios Xr Software | 2026-04-15 | 5.3 Medium |
| A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device. | ||||
| CVE-2025-67859 | 1 Linrunner | 1 Tlp | 2026-04-15 | N/A |
| A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1. | ||||
| CVE-2024-20397 | 2026-04-15 | 5.2 Medium | ||
| A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. This vulnerability is due to insecure bootloader settings. An attacker could exploit this vulnerability by executing a series of bootloader commands. A successful exploit could allow the attacker to bypass NX-OS image signature verification and load unverified software. | ||||
| CVE-2024-52786 | 1 Anji-plus | 1 Aj-report | 2026-04-15 | 9.8 Critical |
| An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | ||||
| CVE-2024-53494 | 2026-04-15 | 7.5 High | ||
| Incorrect access control in the preHandle function of SpringBootBlog v1.0.0 allows attackers to access sensitive components without authentication. | ||||
| CVE-2024-12310 | 2026-04-15 | N/A | ||
| A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlying Windows system through the already logged-in autologon account due to insufficient handling of keyboard shortcuts. This issue affects Imprivata Enterprise Access Management versions 5.3 through 24.2. | ||||
| CVE-2024-43705 | 2026-04-15 | 7.8 High | ||
| Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory. | ||||
| CVE-2024-56898 | 2026-04-15 | 8.8 High | ||
| Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts. | ||||
| CVE-2025-53187 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2026-04-15 | 9.8 Critical |
| Due to an issue in configuration, code that was intended for debugging purposes was included in the market release of the ASPECT FW allowing an attacker to bypass authentication. This vulnerability may allow an attacker to change the system time, access files, and make function calls without prior authentication. This issue affects all versions of ASPECT prior to 3.08.04-s01 | ||||
| CVE-2023-52210 | 2 Tychesoftwares, Wordpress | 2 Product Delivery Date For Woocommerce Lite, Wordpress | 2026-04-15 | 5.3 Medium |
| Vulnerability in Tyche softwares Product Delivery Date for WooCommerce – Lite.This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through 2.7.0. | ||||
| CVE-2025-43712 | 1 Jhipster | 1 Generator-jhipster | 2026-04-15 | 2.9 Low |
| JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application). | ||||
| CVE-2025-44178 | 1 Dasan | 1 H660wm | 2026-04-15 | 6.5 Medium |
| DASAN GPON ONU H660WM H660WMR210825 is susceptible to improper access control under its default settings. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information and modify its configuration via the UPnP protocol WAN sides without any authentication. | ||||
| CVE-2025-4962 | 1 Lunary-ai | 1 Lunary | 2026-04-15 | N/A |
| An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23. | ||||
| CVE-2025-41248 | 1 Vmware | 1 Spring Security | 2026-04-15 | 7.5 High |
| The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 . | ||||
| CVE-2025-4210 | 2026-04-15 | 7.3 High | ||
| A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component. | ||||
| CVE-2025-43980 | 2026-04-15 | 6.5 Medium | ||
| An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN. They enable the SSH service by default with the credentials of root/admin. The GUI doesn't offer a way to disable the account. | ||||
| CVE-2025-30508 | 1 Intel | 1 Intel Platforms | 2026-04-15 | 6.5 Medium |
| Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-61114 | 2 Autobizline, Google | 2 Mysecondline, Android | 2026-04-15 | 7.5 High |
| 2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first character of the user_token, enabling attackers to brute force tokens and perform unauthorized queries on other user accounts. Successful exploitation could result in privacy breaches and unauthorized access to user data. | ||||