Export limit exceeded: 349372 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349372 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0677 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 6.4 Medium |
| A flaw was found in grub2. When performing a symlink lookup, the grub's UFS module checks the inode's data size to allocate the internal buffer to read the file content, however, it fails to check if the symlink data size has overflown. When this occurs, grub_malloc() may be called with a smaller value than needed. When further reading the data from the disk into the buffer, the grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack can leverage this by crafting a malicious filesystem, and as a result, it will corrupt data stored in the heap, allowing for arbitrary code execution used to by-pass secure boot mechanisms. | ||||
| CVE-2025-2335 | 2026-04-15 | 3.5 Low | ||
| A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0813 | 2026-04-15 | 6.8 Medium | ||
| CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process. | ||||
| CVE-2025-15062 | 1 Trimble | 1 Sketchup | 2026-04-15 | N/A |
| Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. | ||||
| CVE-2024-9362 | 2026-04-15 | N/A | ||
| An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve directory information and file contents from the server without proper authorization, leading to sensitive information disclosure. The issue enables access to system directories such as `/etc`, potentially resulting in significant security risks. | ||||
| CVE-2024-9363 | 2026-04-15 | N/A | ||
| An unauthorized file deletion vulnerability exists in the latest version of the Polyaxon platform, which can lead to denial of service by terminating critical containers. An attacker can delete important files within the containers, such as `polyaxon.sock`, causing the API container to exit unexpectedly. This disrupts related services and prevents the system from functioning normally, without requiring authentication or UUID parameters. | ||||
| CVE-2024-9365 | 2026-04-15 | N/A | ||
| A Cross-Site Request Forgery (CSRF) vulnerability in polyaxon/polyaxon v2.4.0 allows attackers to perform unauthorized actions in the context of the victim's browser. This includes creating projects, model versions, and artifact versions, or changing settings. The impact of this vulnerability includes potential data loss and service disruption. | ||||
| CVE-2025-3189 | 2026-04-15 | N/A | ||
| Stored Cross-Site Scripting (XSS) in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it. | ||||
| CVE-2025-15386 | 2 Dfactory, Wordpress | 2 Responsive Lightbox & Gallery, Wordpress | 2026-04-15 | 8.8 High |
| The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. | ||||
| CVE-2025-2342 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-41116 | 1 Grafana | 1 Grafana | 2026-04-15 | N/A |
| When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0 | ||||
| CVE-2025-2344 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-54909 | 2026-04-15 | 8.1 High | ||
| A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download. | ||||
| CVE-2024-3027 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-04-15 | 6.4 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks. | ||||
| CVE-2025-53109 | 2026-04-15 | N/A | ||
| Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve. | ||||
| CVE-2024-4340 | 1 Redhat | 5 Ansible Automation Platform, Openstack, Rhui and 2 more | 2026-04-15 | 7.5 High |
| Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. | ||||
| CVE-2025-40744 | 1 Siemens | 1 Solid Edge Se2025 | 2026-04-15 | 7.5 High |
| A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | ||||
| CVE-2024-8403 | 1 Mitsubishi Electric | 2 Melsec Iq-f Series Fx5-enet, Melsec Iq-f Series Fx5-enet Ip | 2026-04-15 | 7.5 High |
| Improper Validation of Specified Type of Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET versions 1.100 to 1.200 and FX5-ENET/IP versions 1.100 to 1.104 allows a remote attacker to cause a Denial of Service condition in Ethernet communication of the products by sending specially crafted SLMP packets. | ||||
| CVE-2024-28139 | 2026-04-15 | 8.8 High | ||
| The www-data user can elevate its privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. The risk has been accepted by the vendor and won't be fixed in the near future. | ||||
| CVE-2024-9070 | 1 Bentoml | 1 Bentoml | 2026-04-15 | N/A |
| A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution. | ||||