Export limit exceeded: 10683 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10683 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6597 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-04-15 | 0.0 Low |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | ||||
| CVE-2025-59047 | 1 Matrix | 1 Matrix-rust-sdk | 2026-04-15 | N/A |
| matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. The issue is fixed in matrix-sdk-base 0.14.1. The affected method isn’t used internally, so avoiding calling `RoomMember::normalized_power_level()` prevents the panic. | ||||
| CVE-2023-49112 | 1 Kiuwan | 1 Sast | 2026-04-15 | 6.5 Medium |
| Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | ||||
| CVE-2024-4032 | 2 Python, Redhat | 6 Cpython, Enterprise Linux, Rhel Aus and 3 more | 2026-04-15 | 7.5 High |
| The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. | ||||
| CVE-2025-12789 | 1 Redhat | 1 Red Hat Single Sign On | 2026-04-15 | 6.1 Medium |
| A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL. | ||||
| CVE-2024-55471 | 2026-04-15 | 6.5 Medium | ||
| Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipulating the id parameter. | ||||
| CVE-2025-24517 | 2026-04-15 | 7.5 High | ||
| Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the product login password without authentication. | ||||
| CVE-2025-12883 | 2 Campay, Wordpress | 2 Woocommerce Payment Gateway, Wordpress | 2026-04-15 | 5.3 Medium |
| The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income. | ||||
| CVE-2025-8887 | 1 Usta | 1 Aybs | 2026-04-15 | 6.1 Medium |
| Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2025-41358 | 1 Cronosweb I2a | 1 Cronosweb | 2026-04-15 | N/A |
| Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. | ||||
| CVE-2025-7344 | 2026-04-15 | 8.8 High | ||
| The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API. | ||||
| CVE-2025-12126 | 2 Ryanmoyer, Wordpress | 2 The Total Book Project, Wordpress | 2026-04-15 | 5.4 Medium |
| The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them. | ||||
| CVE-2025-0325 | 2026-04-15 | 4.3 Medium | ||
| A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device. | ||||
| CVE-2025-47455 | 2026-04-15 | N/A | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Salesforce woo-salesforce-plugin-crm-perks allows Phishing.This issue affects Integration for WooCommerce and Salesforce: from n/a through <= 1.7.5. | ||||
| CVE-2025-54336 | 1 Plesk | 1 Obsidian | 2026-04-15 | 9.8 Critical |
| In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php. | ||||
| CVE-2025-10019 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2026-04-15 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | ||||
| CVE-2025-27027 | 2026-04-15 | 4.1 Medium | ||
| A user with vpuser credentials that opens an SSH connection to the device, gets a restricted shell rbash that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash restrictions. | ||||
| CVE-2024-4604 | 2026-04-15 | 6.1 Medium | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Magarsus Consultancy SSO (Single Sign On) allows Manipulating Hidden Fields.This issue affects SSO (Single Sign On): from 1.0 before 1.1. | ||||
| CVE-2025-8732 | 1 Gnome | 1 Libxml2 | 2026-04-15 | 3.3 Low |
| A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all." | ||||
| CVE-2024-10497 | 2026-04-15 | 8.8 High | ||
| CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device. | ||||