Export limit exceeded: 344734 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344734 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39566 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-04-14 | 4 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26. | ||||
| CVE-2026-38532 | 2026-04-14 | 8.1 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38530 | 2026-04-14 | 8.1 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38529 | 2026-04-14 | 8.8 High | ||
| A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||||
| CVE-2026-38528 | 2026-04-14 | 7.1 High | ||
| Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | ||||
| CVE-2026-38527 | 2026-04-14 | 8.5 High | ||
| A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | ||||
| CVE-2026-38526 | 2026-04-14 | 9.9 Critical | ||
| An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2026-34627 | 2026-04-14 | 7.8 High | ||
| InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-33829 | 1 Microsoft | 15 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 12 more | 2026-04-14 | 4.3 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-33118 | 1 Microsoft | 1 Edge Chromium | 2026-04-14 | 4.3 Medium |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2026-33096 | 1 Microsoft | 7 Windows 11 23h2, Windows 11 24h2, Windows 11 25h2 and 4 more | 2026-04-14 | 7.5 High |
| Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-32220 | 1 Microsoft | 4 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 and 1 more | 2026-04-14 | 4.4 Medium |
| Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-27906 | 1 Microsoft | 6 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 3 more | 2026-04-14 | 4.4 Medium |
| Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-27246 | 2026-04-14 | 9.3 Critical | ||
| Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | ||||
| CVE-2026-26154 | 1 Microsoft | 7 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and 4 more | 2026-04-14 | 7.5 High |
| Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2026-26143 | 1 Microsoft | 1 Powershell | 2026-04-14 | 7.8 High |
| Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2026-24906 | 2026-04-14 | N/A | ||
| October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only | ||||
| CVE-2026-23666 | 1 Microsoft | 1 .net | 2026-04-14 | 7.5 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-20928 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-04-14 | 4.6 Medium |
| Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack. | ||||
| CVE-2025-70023 | 2026-04-14 | N/A | ||
| An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. | ||||