Export limit exceeded: 349608 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349608 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54572 | 1 Saml-toolkits | 1 Ruby-saml | 2026-04-15 | N/A |
| The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1. | ||||
| CVE-2025-9223 | 1 Zohocorp | 2 Applications Manager, Manageengine Applications Manager | 2026-04-15 | 8.8 High |
| Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature. | ||||
| CVE-2025-8998 | 1 Axis | 1 Axis Os | 2026-04-15 | 3.1 Low |
| It was possible to upload files with a specific name to a temporary directory, which may result in process crashes and impact usability. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. | ||||
| CVE-2025-54569 | 1 Malwarebytes | 1 Binisoft Windows Firewall Control | 2026-04-15 | 4.5 Medium |
| In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation. | ||||
| CVE-2025-8324 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2026-04-15 | 9.8 Critical |
| Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. | ||||
| CVE-2025-54558 | 2026-04-15 | 4.1 Medium | ||
| OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag. | ||||
| CVE-2025-54551 | 2026-04-15 | 4.3 Medium | ||
| Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the search function. | ||||
| CVE-2025-5455 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 5.3 Medium |
| An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1. | ||||
| CVE-2025-54548 | 1 Arista | 1 Danz Monitoring Fabric | 2026-04-15 | 4.3 Medium |
| On affected platforms, restricted users could view sensitive portions of the config database via a debug API (e.g., user password hashes) | ||||
| CVE-2025-54547 | 1 Arista | 1 Danz Monitoring Fabric | 2026-04-15 | 5.3 Medium |
| On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired | ||||
| CVE-2025-54520 | 1 Amd | 2 Artix 7-series Fpga, Kintex 7-series Fpga | 2026-04-15 | N/A |
| Improper Protection Against Voltage and Clock Glitches in FPGA devices, could allow an attacker with physical access to undervolt the platform resulting in a loss of confidentiality. | ||||
| CVE-2025-54519 | 1 Amd | 1 Vivado™ Documentation Navigator Installation (windows) | 2026-04-15 | 7.3 High |
| A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | ||||
| CVE-2025-68339 | 1 Linux | 1 Linux Kernel | 2026-04-15 | N/A |
| In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. | ||||
| CVE-2025-7020 | 1 Byd | 1 Dilink Os | 2026-04-15 | N/A |
| An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data. This vulnerability was introduced in a patch intended to fix CVE-2024-54728. | ||||
| CVE-2024-0870 | 1 Yithemes | 1 Yith Woocommerce Gift Cards | 2026-04-15 | 5.3 Medium |
| The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_mail_status' and 'save_email_settings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated attackers to modify WooCommerce settings. | ||||
| CVE-2025-54477 | 1 Joomla | 2 Joomla, Joomla! | 2026-04-15 | 5.3 Medium |
| Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method. | ||||
| CVE-2025-54470 | 1 Suse | 1 Neuvector | 2026-04-15 | 8.6 High |
| This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack | ||||
| CVE-2025-54469 | 1 Suse | 1 Neuvector | 2026-04-15 | 9.9 Critical |
| A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container. | ||||
| CVE-2025-59580 | 2 Goodlayers, Wordpress | 2 Goodlayers Core, Wordpress | 2026-04-15 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in GoodLayers Goodlayers Core goodlayers-core allows Privilege Escalation.This issue affects Goodlayers Core: from n/a through < 2.1.7. | ||||
| CVE-2025-8715 | 1 Postgresql | 1 Postgresql | 2026-04-15 | 8.8 High |
| Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it. | ||||