Export limit exceeded: 14072 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11307 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11307 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35184 | 2026-04-15 | 5.5 Medium | ||
| Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue. | ||||
| CVE-2024-36438 | 1 Elinksmart | 1 Smart Cabinet Lock | 2026-04-15 | 7.3 High |
| eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks. | ||||
| CVE-2025-10209 | 1 Papermerge | 2 Dms, Papermerge | 2026-04-15 | 5.4 Medium |
| A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6723 | 1 Chef | 1 Inspec | 2026-04-15 | N/A |
| Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23 and before 7.0.107 | ||||
| CVE-2025-25381 | 2026-04-15 | 7.5 High | ||
| Incorrect access control in the KSRTC AWATAR app of Karnataka State Road Transport Corporation v1.3.0 allows to view sensitive information such as usernames and passwords. | ||||
| CVE-2025-23217 | 1 Mitmproxy | 1 Mitmproxy | 2026-04-15 | N/A |
| mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the cannot access the API directly, they can access the API through the proxy. An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. This vulnerability has been fixed in mitmproxy 11.1.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-46412 | 2026-04-15 | 9.8 Critical | ||
| Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication. | ||||
| CVE-2025-44525 | 2026-04-15 | 6.5 Medium | ||
| Texas Instruments CC2652RB LaunchPad SimpleLink CC13XX CC26XX SDK 7.41.00.17 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | ||||
| CVE-2025-62159 | 1 External-secrets | 1 External-secrets | 2026-04-15 | N/A |
| External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`. | ||||
| CVE-2025-24292 | 1 Ubiquiti | 1 Unifi Network Application | 2026-04-15 | N/A |
| A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device’s MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile. | ||||
| CVE-2025-9099 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14660 | 1 Decocms | 1 Mesh | 2026-04-15 | 5.6 Medium |
| A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component. | ||||
| CVE-2024-9890 | 1 Deryck Onate | 1 User Toolkit | 2026-04-15 | 8.8 High |
| The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. CVE-2024-50503 may be a duplicate. | ||||
| CVE-2025-0813 | 2026-04-15 | 6.8 Medium | ||
| CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process. | ||||
| CVE-2026-3209 | 1 Fosrl | 1 Pangolin | 2026-04-15 | 6.3 Medium |
| A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.4-s.4 mitigates this issue. The identifier of the patch is 5e37c4e85fae68e756be5019a28ca903b161fdd5. Upgrading the affected component is advised. | ||||
| CVE-2024-36108 | 2026-04-15 | 9.8 Critical | ||
| casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-53187 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2026-04-15 | 9.8 Critical |
| Due to an issue in configuration, code that was intended for debugging purposes was included in the market release of the ASPECT FW allowing an attacker to bypass authentication. This vulnerability may allow an attacker to change the system time, access files, and make function calls without prior authentication. This issue affects all versions of ASPECT prior to 3.08.04-s01 | ||||
| CVE-2025-64483 | 1 Wazuh | 2 Wazuh, Wazuh-dashboard | 2026-04-15 | N/A |
| Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | ||||
| CVE-2026-21411 | 2026-04-15 | N/A | ||
| Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | ||||
| CVE-2025-57567 | 1 Pluxml | 1 Pluxml | 2026-04-15 | 9.1 Critical |
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | ||||