Export limit exceeded: 15481 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (15481 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2442 | 2026-04-15 | 6.8 Medium | ||
| CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious user, having physical access, sets the radio to the factory default mode. | ||||
| CVE-2025-24288 | 1 Versa | 1 Director | 2026-04-15 | 9.8 Critical |
| The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and multiple accounts (most with sudo access) that utilize the same default credentials. By default, Versa director exposes ssh and postgres to the internet, alongside a host of other services. Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: Versa recommends the following security controls: 1) Change default passwords to complex passwords 2) Passwords must be complex with at least 8 characters that comprise of upper case, and lower case alphabets, as well as at at least one digit, and one special character 3) Passwords must be changed at least every 90 days 4) Password change history is checked to ensure that the at least the last 5 passwords must be used when changing password. 5) Review and audit logs for all authentication attempts to check for unauthorized/suspicious login attempts and enforce remediation steps. | ||||
| CVE-2025-41438 | 2026-04-15 | 9.8 Critical | ||
| The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited. | ||||
| CVE-2025-20053 | 1 Intel | 3 Processor, Xeon, Xeon Processors | 2026-04-15 | 7.2 High |
| Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with SGX enabled may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-11085 | 1 Rockwellautomation | 1 Factorytalk | 2026-04-15 | N/A |
| A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website. | ||||
| CVE-2025-52622 | 1 Hcltech | 1 Bigfix Saas | 2026-04-15 | 5.4 Medium |
| The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. | ||||
| CVE-2025-11015 | 1 Ogrecave | 1 Ogre | 2026-04-15 | 5.3 Medium |
| A weakness has been identified in OGRECave Ogre up to 14.4.1. Impacted is the function STBIImageCodec::encode of the file /ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp. This manipulation causes mismatched memory management routines. The attack is restricted to local execution. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-46599 | 1 K3s | 1 K3s | 2026-04-15 | 6.8 Medium |
| CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials. | ||||
| CVE-2025-46583 | 1 Zte | 1 Mc889a | 2026-04-15 | 5.3 Medium |
| There is a Denial of Service(DoS)vulnerability in the ZTE MC889A Pro product. Due to insufficient validation of the input parameters of the Short Message Service interface, allowing an attacker to exploit it to carry out a DoS attack. | ||||
| CVE-2025-68113 | 1 Altcha | 1 Altcha | 2026-04-15 | 6.5 Medium |
| ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `<salt>?expires=<time>&`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator. | ||||
| CVE-2023-6361 | 1 Winhex | 1 Winhex | 2026-04-15 | 7.3 High |
| A vulnerability has been discovered in Winhex affecting version 16.1 SR-1 and 20.4. This vulnerability consists of a buffer overflow controlling the Structured Exception Handler (SEH) registers. This could allow attackers to execute arbitrary code via a long filename argument. | ||||
| CVE-2025-53602 | 2026-04-15 | 5.3 Medium | ||
| Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. | ||||
| CVE-2025-42934 | 1 Sap | 1 S/4hana | 2026-04-15 | 4.3 Medium |
| SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability. | ||||
| CVE-2024-8937 | 2026-04-15 | 6.5 Medium | ||
| CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution after a successful Man-In-The Middle attack followed by sending a crafted Modbus function call to tamper with memory area involved in the authentication process. | ||||
| CVE-2025-9020 | 1 Dronecode | 1 Px4 Drone Autopilot | 2026-04-15 | 4.5 Medium |
| A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4. This issue affects the function MavlinkReceiver::handle_message_serial_control of the file src/modules/mavlink/mavlink_receiver.cpp of the component Mavlink Shell Closing Handler. The manipulation of the argument _mavlink_shell leads to use after free. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of the patch is 4395d4f00c49b888f030f5b43e2a779f1fa78708. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-34141 | 2026-04-15 | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1. | ||||
| CVE-2025-3497 | 2026-04-15 | 8.7 High | ||
| The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product. | ||||
| CVE-2025-34096 | 1 Efssoft | 1 Easy File Sharing Web Server | 2026-04-15 | N/A |
| A stack-based buffer overflow vulnerability exists in Easy File Sharing HTTP Server version 7.2. The flaw is triggered when a crafted POST request is sent to the /sendemail.ghp endpoint containing an overly long Email parameter. The application fails to properly validate the length of this field, resulting in a memory corruption condition. An unauthenticated remote attacker can exploit this to execute arbitrary code with the privileges of the server process. | ||||
| CVE-2025-32074 | 2026-04-15 | 5.4 Medium | ||
| Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43. | ||||
| CVE-2025-32033 | 2026-04-15 | 7.5 High | ||
| The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1. | ||||