Export limit exceeded: 344240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344240 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5382 | 1 Runzero | 1 Platform | 2026-04-08 | 3 Low |
| An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform. | ||||
| CVE-2026-5378 | 1 Runzero | 1 Platform | 2026-04-08 | 5.8 Medium |
| An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N (5.8 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | ||||
| CVE-2026-5375 | 1 Runzero | 1 Platform | 2026-04-08 | 2.7 Low |
| An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | ||||
| CVE-2026-5373 | 1 Runzero | 1 Platform | 2026-04-08 | 8.1 High |
| An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | ||||
| CVE-2026-5739 | 1 Powerjob | 1 Powerjob | 2026-04-08 | 7.3 High |
| A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-24175 | 1 Nvidia | 1 Triton Inference Server | 2026-04-08 | 7.5 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-24174 | 1 Nvidia | 1 Triton Inference Server | 2026-04-08 | 7.5 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2026-35610 | 1 Polarnl | 1 Polarlearn | 2026-04-08 | 8.8 High |
| PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while real admins were rejected. This is a direct privilege-escalation issue in the application. | ||||
| CVE-2026-35604 | 1 Filebrowser | 1 Filebrowser | 2026-04-08 | N/A |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1. | ||||
| CVE-2026-39367 | 1 Wwbn | 1 Avideo | 2026-04-08 | 5.4 Medium |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover. | ||||
| CVE-2026-24173 | 1 Nvidia | 1 Triton Inference Server | 2026-04-08 | 7.5 High |
| NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. A successful exploit of this vulnerability might lead to denial of service. | ||||
| CVE-2025-24817 | 1 Nokia | 1 Mantaray Nm | 2026-04-08 | 8 High |
| Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. | ||||
| CVE-2026-5381 | 1 Runzero | 1 Platform | 2026-04-08 | 2.2 Low |
| An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform. | ||||
| CVE-2026-32712 | 1 Opensourcepos | 1 Opensourcepos | 2026-04-08 | 5.4 Medium |
| Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. | ||||
| CVE-2025-24819 | 1 Nokia | 1 Mantaray Nm | 2026-04-08 | 5.7 Medium |
| Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. | ||||
| CVE-2026-1078 | 1 Pegasystems | 1 Pega Robot Studio | 2026-04-08 | N/A |
| An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website. | ||||
| CVE-2026-1079 | 1 Pegasystems | 1 Pega Browser Extension (pbe) | 2026-04-08 | N/A |
| A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box. | ||||
| CVE-2026-23696 | 2 Nextcloud, Windmill-labs | 2 Flow, Windmil | 2026-04-08 | 9.9 Critical |
| Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints. | ||||
| CVE-2026-24147 | 1 Nvidia | 1 Triton Inference Server | 2026-04-08 | 4.8 Medium |
| NVIDIA Triton Inference Server contains a vulnerability in triton server where an attacker may cause an information disclosure by uploading a model configuration. A successful exploit of this vulnerability may lead to information disclosure or denial of service. | ||||
| CVE-2026-27314 | 1 Apache | 1 Cassandra | 2026-04-08 | 8.8 High |
| Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are recommended to upgrade to version 5.0.7+, which fixes this issue. | ||||