Export limit exceeded: 345220 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345220 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1010 | 1 Altium | 2 Altium 365, On-prem Enterprise Server | 2026-04-18 | 8 High |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | ||||
| CVE-2026-1020 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-04-18 | 5.3 Medium |
| Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | ||||
| CVE-2026-1021 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-04-18 | 9.8 Critical |
| Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2026-1022 | 1 Gotac | 2 Statistical Database System, Statistics Database System | 2026-04-18 | 7.5 High |
| Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2026-1023 | 1 Gotac | 2 Statistical Database System, Statistics Database System | 2026-04-18 | 7.5 High |
| Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | ||||
| CVE-2026-0858 | 1 Plantuml | 1 Plantuml | 2026-04-18 | 6.1 Medium |
| Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | ||||
| CVE-2026-23769 | 1 Naver | 1 Lucy-xss-filter | 2026-04-18 | 6.5 Medium |
| lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | ||||
| CVE-2026-0975 | 2 Delta Electronics, Deltaww | 2 Diaview, Diaview | 2026-04-18 | 7.8 High |
| Delta Electronics DIAView has Command Injection vulnerability. | ||||
| CVE-2026-22876 | 1 Toa Corporation | 1 Trifora 3 Series | 2026-04-18 | N/A |
| Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. | ||||
| CVE-2026-0616 | 1 Thelibrarian | 2 The Librarian, Thelibrarian | 2026-04-18 | 7.5 High |
| TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | ||||
| CVE-2026-0615 | 1 Thelibrarian | 2 The Librarian, Thelibrarian | 2026-04-18 | 7.3 High |
| The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | ||||
| CVE-2026-0695 | 1 Connectwise | 2 Professional Service Automation, Psa | 2026-04-18 | 8.7 High |
| In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. | ||||
| CVE-2026-21623 | 1 Stackideas | 1 Easydiscuss | 2026-04-18 | 5.4 Medium |
| Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | ||||
| CVE-2026-21624 | 2 Joomla, Stackideas | 3 Joomla, Joomla!, Easydiscuss | 2026-04-18 | 5.4 Medium |
| Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | ||||
| CVE-2026-0949 | 1 Enterprisedb | 1 Postgres Enterprise Manager | 2026-04-18 | 6.5 Medium |
| PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | ||||
| CVE-2026-23528 | 2 Anaconda, Dask | 2 Dask, Distributed | 2026-04-18 | 6.1 Medium |
| Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | ||||
| CVE-2026-0629 | 1 Tp-link | 31 Vigi C230i Mini, Vigi C240, Vigi C250 and 28 more | 2026-04-18 | N/A |
| Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | ||||
| CVE-2026-23634 | 1 Defenseunicorns | 1 Pepr | 2026-04-18 | 0 Low |
| Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. | ||||
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-04-18 | 7.2 High |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | ||||
| CVE-2026-23722 | 1 Wegia | 1 Wegia | 2026-04-18 | 9.1 Critical |
| WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2. | ||||