Export limit exceeded: 347679 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (347679 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12812 | 1 Delinea | 1 Cloud Suite And Privileged Access Service | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service. Remediation: This issue is fixed in Cloud Suite: 25.1 | ||||
| CVE-2025-65109 | 1 Mindersec | 1 Minder | 2026-04-15 | N/A |
| Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84. | ||||
| CVE-2025-65127 | 1 Shenzhen Zhibotong Electronics | 1 Zbt We2001 | 2026-04-15 | 6.5 Medium |
| A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get_*" operations, attackers can obtain device configuration data, including plaintext credentials, without authentication or an existing session. | ||||
| CVE-2025-55280 | 2026-04-15 | N/A | ||
| This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the plaintext sensitive data stored in the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized network access, retrieve and manipulate data on the targeted device. | ||||
| CVE-2025-12815 | 1 Aws | 1 Research And Engineering Studio | 2026-04-15 | 4.3 Medium |
| An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview screenshots. To mitigate this issue, users should upgrade to version 2025.09 or above. | ||||
| CVE-2025-12748 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 5.5 Medium |
| A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition. | ||||
| CVE-2025-55069 | 1 Automationdirect | 1 Click Plus | 2026-04-15 | 8.3 High |
| A predictable seed in pseudo-random number generator vulnerability has been discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software implements a predictable seed for its pseudo-random number generator, which compromises the security of the generated private keys. | ||||
| CVE-2025-57354 | 2026-04-15 | 6.5 Medium | ||
| A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing. | ||||
| CVE-2024-5602 | 1 Ni | 1 System Configuration | 2026-04-15 | 7.8 High |
| A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution. Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file. The NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products. Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy. | ||||
| CVE-2025-55038 | 1 Automationdirect | 1 Click Plus | 2026-04-15 | 6.8 Medium |
| An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level. | ||||
| CVE-2025-14386 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account. | ||||
| CVE-2025-32471 | 2026-04-15 | 3.7 Low | ||
| The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks. | ||||
| CVE-2025-31485 | 1 Api-platform | 1 Core | 2026-04-15 | 7.5 High |
| API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17. | ||||
| CVE-2025-54596 | 2026-04-15 | 4.3 Medium | ||
| Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts. | ||||
| CVE-2025-54568 | 2026-04-15 | 3.7 Low | ||
| Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node. | ||||
| CVE-2025-54473 | 1 Joomla | 2 Joomla, Joomla! | 2026-04-15 | N/A |
| An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature. | ||||
| CVE-2025-12742 | 1 Google | 1 Cloud Looker | 2026-04-15 | N/A |
| A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | ||||
| CVE-2024-5565 | 1 Vanna-ai | 1 Vanna | 2026-04-15 | 8.1 High |
| The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution. | ||||
| CVE-2024-55655 | 2026-04-15 | N/A | ||
| sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise. Sigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable. | ||||
| CVE-2025-45406 | 2026-04-15 | 6.1 Medium | ||
| A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class. | ||||