Export limit exceeded: 351338 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351338 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0226 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-0227 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-0248 | 1 Hcltech | 1 Hcl Inotes | 2026-04-15 | 8.1 High |
| HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | ||||
| CVE-2025-0254 | 2026-04-15 | 5.9 Medium | ||
| HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. An attacker could intercept and potentially alter communication between two parties. | ||||
| CVE-2025-0280 | 1 Hcltech | 1 Compass | 2026-04-15 | 7.5 High |
| A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access. | ||||
| CVE-2025-0306 | 1 Redhat | 2 Enterprise Linux, Storage | 2026-04-15 | 7.4 High |
| A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service. | ||||
| CVE-2024-9333 | 2026-04-15 | N/A | ||
| Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation | ||||
| CVE-2024-9310 | 2026-04-15 | N/A | ||
| By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs). | ||||
| CVE-2024-9304 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The LocateAndFilter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-8059 | 2026-04-15 | 4.3 Medium | ||
| IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters. | ||||
| CVE-2024-8060 | 1 Open-webui | 1 Open-webui | 2026-04-15 | N/A |
| OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user. | ||||
| CVE-2024-8065 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | N/A |
| A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among other actions. The application does not implement any CSRF protection, making it susceptible to these attacks. | ||||
| CVE-2024-8067 | 1 Perforce | 1 Helix Core | 2026-04-15 | N/A |
| In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified. | ||||
| CVE-2024-8070 | 2026-04-15 | 8.5 High | ||
| CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary | ||||
| CVE-2024-8074 | 2026-04-15 | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users.This issue affects Nomysem: before 13.10.2024. | ||||
| CVE-2024-8088 | 2 Python Software Foundation, Redhat | 2 Cpython, Enterprise Linux | 2026-04-15 | 5.3 Medium |
| There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. | ||||
| CVE-2024-8097 | 1 Payara Platform | 1 Payara Server | 2026-04-15 | 4.2 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50. | ||||
| CVE-2024-8099 | 2 Duckdb, Vanna-ai | 2 Duckdb, Vanna | 2026-04-15 | N/A |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted SQL queries that leverage DuckDB's default features, such as `read_csv`, `read_csv_auto`, `read_text`, and `read_blob`, to make unauthorized requests to internal or external resources. This can lead to unauthorized access to sensitive data, internal systems, and potentially further attacks. | ||||
| CVE-2024-8100 | 2026-04-15 | 8.7 High | ||
| On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision. | ||||
| CVE-2024-8110 | 1 Yokogawa | 1 Dual-redundant Platform For Computer \(pc2ckm\) | 2026-04-15 | 7.5 High |
| Denial of Service (DoS) vulnerability has been found in Dual-redundant Platform for Computer. If a computer on which the affected product is installed receives a large number of UDP broadcast packets in a short period, occasionally that computer may restart. If both the active and standby computers are restarted at the same time, the functionality on that computer may be temporarily unavailable. | ||||