Export limit exceeded: 10692 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10692 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-20223 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2026-04-14 | 9.8 Critical |
| Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls. | ||||
| CVE-2026-4692 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-14 | 9.6 Critical |
| Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | ||||
| CVE-2026-39526 | 2 Wordpress, Wpstream | 2 Wordpress, Wpstream | 2026-04-14 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2. | ||||
| CVE-2025-15618 | 1 Mock | 2 Business::onlinepayment::storedtransaction, Business\ | 2026-04-14 | 9.1 Critical |
| Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data. | ||||
| CVE-2026-34401 | 1 Microsoft | 2 Xml Notepad, Xmlnotepad | 2026-04-14 | 6.5 Medium |
| XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21. | ||||
| CVE-2026-34933 | 1 Avahi | 1 Avahi | 2026-04-14 | 5.5 Medium |
| Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. | ||||
| CVE-2026-35173 | 2 Chyrplite, Xenocrat Project | 2 Chyrp Lite, Chyrp-lite | 2026-04-14 | 6.5 Medium |
| Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01. | ||||
| CVE-2026-4277 | 1 Djangoproject | 1 Django | 2026-04-14 | 9.8 Critical |
| An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue. | ||||
| CVE-2026-39510 | 2 Wordpress, Wpchill | 2 Wordpress, Image Photo Gallery Final Tiles Grid | 2026-04-14 | 2.7 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11. | ||||
| CVE-2026-39616 | 2 Dfactory, Wordpress | 2 Download Attachments, Wordpress | 2026-04-14 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0. | ||||
| CVE-2026-39865 | 1 Axios | 1 Axios | 2026-04-14 | 5.9 Medium |
| Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2. | ||||
| CVE-2026-5863 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-5875 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-5900 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5901 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 6.5 Medium |
| Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2026-5903 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 6.5 Medium |
| Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5911 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-25854 | 1 Apache | 1 Tomcat | 2026-04-14 | 6.1 Medium |
| Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | ||||
| CVE-2026-29146 | 1 Apache | 1 Tomcat | 2026-04-14 | 7.5 High |
| Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. | ||||
| CVE-2026-40200 | 1 Musl-libc | 1 Musl | 2026-04-14 | 8.1 High |
| An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical). | ||||