Export limit exceeded: 348242 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 348242 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348242 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4174 | 1 Radare | 1 Radare2 | 2026-04-22 | 3.3 Low |
| A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS". | ||||
| CVE-2026-4185 | 1 Gpac | 1 Gpac | 2026-04-22 | 6.3 Medium |
| A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue. | ||||
| CVE-2026-4190 | 1 Jawherkl | 1 Node-api-postgres | 2026-04-22 | 7.3 High |
| A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4200 | 1 Glowxq | 1 Glowxq-oj | 2026-04-22 | 7.3 High |
| A security flaw has been discovered in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This affects the function uploadTestcaseZipUrl of the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4201 | 1 Glowxq | 1 Glowxq-oj | 2026-04-22 | 7.3 High |
| A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4216 | 1 I-sens | 1 Smartlog App | 2026-04-22 | 5.3 Medium |
| A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it." | ||||
| CVE-2026-4221 | 1 Tiandy | 1 Easy7 Integrated Management Platform | 2026-04-22 | 7.3 High |
| A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4222 | 1 Sscms | 1 Sscms | 2026-04-22 | 3.8 Low |
| A vulnerability was determined in SSCMS up to 7.4.0. This vulnerability affects the function PathUtils.RemoveParentPath of the file /api/admin/plugins/install/actions/download. This manipulation of the argument path causes path traversal. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4230 | 1 Vanna-ai | 1 Vanna | 2026-04-22 | 6.3 Medium |
| A vulnerability has been found in vanna-ai vanna up to 2.0.2. Affected is the function update_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4233 | 1 Thethingsnetwork | 1 Thingsgateway | 2026-04-22 | 4.3 Medium |
| A vulnerability was identified in ThingsGateway 12. This affects an unknown part of the file /api/file/download. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4237 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-04-22 | 7.3 High |
| A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-4238 | 1 Itsourcecode | 1 College Management System | 2026-04-22 | 4.7 Medium |
| A vulnerability has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/courses.php. The manipulation of the argument course_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4239 | 1 Lagom | 1 Whmcs Template | 2026-04-22 | 3.5 Low |
| A vulnerability was found in Lagom WHMCS Template up to 2.3.7. Impacted is an unknown function of the component Datatables. The manipulation results in improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4242 | 1 Babychakra | 1 Pregnancy & Parenting App | 2026-04-22 | 2.5 Low |
| A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the argument SEGMENT_WRITE_KEY results in unprotected storage of credentials. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4250 | 1 Albert Sağlık Hizmetleri Ve Ticaret | 1 Albert Health | 2026-04-22 | 2.5 Low |
| A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4284 | 1 Taoofagi | 1 Easegen-admin | 2026-04-22 | 4.7 Medium |
| A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of the component PPT File Handler. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4289 | 1 Tiandy | 1 Easy7 Integrated Management Platform | 2026-04-22 | 7.3 High |
| A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4466 | 1 Comfast | 2 Cf-ac100, Cf-ac100 Firmware | 2026-04-22 | 4.7 Medium |
| A vulnerability has been found in Comfast CF-AC100 2.6.0.8. This affects an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4467 | 1 Comfast | 2 Cf-ac100, Cf-ac100 Firmware | 2026-04-22 | 4.7 Medium |
| A vulnerability was found in Comfast CF-AC100 2.6.0.8. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=wireless_device_dissoc. The manipulation results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4468 | 1 Comfast | 2 Cf-ac100, Cf-ac100 Firmware | 2026-04-22 | 4.7 Medium |
| A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=update_interface_png. This manipulation causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||