Export limit exceeded: 11196 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11196 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10024 | 1 Exert | 1 Education Management System | 2026-04-15 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Management System: through 23.09.2025. | ||||
| CVE-2024-9819 | 2026-04-15 | 6.5 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711. | ||||
| CVE-2024-9907 | 1 Qilecms | 1 Qilecms | 2026-04-15 | 3.7 Low |
| A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0479 | 2026-04-15 | N/A | ||
| This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system. | ||||
| CVE-2024-9262 | 2026-04-15 | 6.5 Medium | ||
| The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely. | ||||
| CVE-2024-9263 | 1 Arraytics | 1 Timetics | 2026-04-15 | 9.8 Critical |
| The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible. | ||||
| CVE-2025-0575 | 2026-04-15 | 3.9 Low | ||
| A vulnerability has been found in Union Bank of India Vyom 8.0.34 on Android and classified as problematic. This vulnerability affects unknown code of the component Rooting Detection. The manipulation leads to protection mechanism failure. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-32189 | 2026-04-15 | 5.9 Medium | ||
| Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys | ||||
| CVE-2025-10947 | 2026-04-15 | 5.3 Medium | ||
| A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component. | ||||
| CVE-2024-8118 | 1 Grafana | 1 Grafana | 2026-04-15 | 4.7 Medium |
| In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. | ||||
| CVE-2025-7881 | 2026-04-15 | 2.7 Low | ||
| A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-8040 | 2026-04-15 | 7.7 High | ||
| An authorization bypass through user-controlled key vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2024x allows an authenticated attacker to access some unauthorized data. | ||||
| CVE-2025-0670 | 1 Akinsoft | 1 Prokuafor | 2026-04-15 | 4.7 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure.This issue affects ProKuafor: from s1.02.07 before v1.02.08. | ||||
| CVE-2025-8737 | 1 Microservices-platform Project | 1 Microservices-platform | 2026-04-15 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in zlt2000 microservices-platform up to 6.0.0. This affects the function onLogoutSuccess of the file src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java. The manipulation of the argument redirect_url leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-12110 | 1 Redhat | 1 Build Keycloak | 2026-04-15 | 5.4 Medium |
| A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. | ||||
| CVE-2023-3285 | 2026-04-15 | 7.7 High | ||
| A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation. | ||||
| CVE-2025-53969 | 1 Cognex | 2 In-sight Camera Firmware, In-sight Explorer | 2026-04-15 | 8.8 High |
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying users' access to the device. | ||||
| CVE-2024-34520 | 2026-04-15 | 8.8 High | ||
| An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls. | ||||
| CVE-2025-41720 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 4.3 Medium |
| A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. | ||||
| CVE-2025-55166 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2026-04-15 | N/A |
| savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0. | ||||