Export limit exceeded: 10718 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10718 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47779 | 2026-04-15 | N/A | ||
| Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets. | ||||
| CVE-2025-0224 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-11741 | 1 Grafana | 1 Grafana | 2026-04-15 | 4.3 Medium |
| Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 | ||||
| CVE-2025-22960 | 2026-04-15 | 8 High | ||
| A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Unauthenticated attackers can access exposed log files (/logs/debug/xteLog*), potentially revealing sensitive session-related information such as session IDs (sess_id) and authentication success tokens (user_check_password OK). Exploiting this flaw could allow attackers to hijack active sessions, gain unauthorized access, and escalate privileges on affected devices. | ||||
| CVE-2025-6593 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-04-15 | N/A |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | ||||
| CVE-2025-61481 | 1 Mikrotik | 2 Routeros, Switchos | 2026-04-15 | 10 Critical |
| An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials. | ||||
| CVE-2025-32698 | 2026-04-15 | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. | ||||
| CVE-2024-4021 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /ndmComponents.js of the component Configuration Setting Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261673 was assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024. | ||||
| CVE-2025-29628 | 2026-04-15 | 9.4 Critical | ||
| A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack. This may result in the attacker capturing device credentials or taking control of vulnerable home kits. | ||||
| CVE-2024-3182 | 1 Tibco | 1 Hawk | 2026-04-15 | 6.5 Medium |
| Install-type password disclosure vulnerability in Universal Installer including the Silent Installer in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows user's Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files. | ||||
| CVE-2024-45811 | 2 Redhat, Vitejs | 2 Openshift Distributed Tracing, Vite | 2026-04-15 | 4.8 Medium |
| Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-60805 | 1 Bessystem | 1 Application Server | 2026-04-15 | 7.5 High |
| An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml. | ||||
| CVE-2024-39919 | 2026-04-15 | 3.1 Low | ||
| @jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-8884 | 1 Schneider Electric | 1 System Monitor Application In Harmony Industrial Pc Hmibmo Hmibmi Hmipso Hmibmp Hmibmu Hmipsp Hmipep Series | 2026-04-15 | 9.8 Critical |
| CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause exposure of credentials when attacker has access to application on network over http | ||||
| CVE-2024-31207 | 1 Vitejs | 1 Vite | 2026-04-15 | 5.9 Medium |
| Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. | ||||
| CVE-2025-9209 | 2 Magnigenie, Wordpress | 2 Restropress, Wordpress | 2026-04-15 | 9.8 Critical |
| The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them. | ||||
| CVE-2024-29897 | 1 Miraheze | 1 Createwiki | 2026-04-15 | 4.9 Medium |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937. | ||||
| CVE-2025-26485 | 2026-04-15 | 5.8 Medium | ||
| A vulnerability in Beta80 Life 1st enables the retrieval of different error messages for failed authentication attempts (in case of the usage of a wrong password or a non existent user). The difference in the returned error messages could be used by attackers to understand whether a certain user is registered in the Identity Manager. This issue affects Life 1st: 1.5.2.14234. | ||||
| CVE-2024-12637 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality. The JSON files are stored in predictable locations with guessable file names when exporting user data. This could allow unauthenticated attackers to extract sensitive user data, for instance, email addresses, hashed passwords, and IP addresses. | ||||
| CVE-2024-7382 | 1 Coffee2code | 1 Linkify-text | 2026-04-15 | 5.3 Medium |
| The Linkify Text plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.9.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website. | ||||