Export limit exceeded: 345193 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345193 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27645 | 2 Dgtlmoon, Webtechnologies | 2 Changedetection.io, Changedetection | 2026-04-17 | 6.1 Medium |
| changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue. | ||||
| CVE-2026-27696 | 2 Dgtlmoon, Webtechnologies | 2 Changedetection.io, Changedetection | 2026-04-17 | 8.6 High |
| changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue. | ||||
| CVE-2026-3150 | 2 Angeljudesuarez, Itsourcecode | 2 College Management System, College Management System | 2026-04-17 | 6.3 Medium |
| A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-3151 | 2 Angeljudesuarez, Itsourcecode | 2 College Management System, College Management System | 2026-04-17 | 7.3 High |
| A vulnerability was detected in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /login/login.php. The manipulation of the argument email results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | ||||
| CVE-2026-3152 | 2 Angeljudesuarez, Itsourcecode | 2 College Management System, College Management System | 2026-04-17 | 7.3 High |
| A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php. This manipulation of the argument teacher_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-3153 | 2 Admerc, Itsourcecode | 2 Document Management System, Document Management System | 2026-04-17 | 7.3 High |
| A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-3163 | 2 Remyandrade, Sourcecodester | 2 Website Link Extractor, Website Link Extractor | 2026-04-17 | 6.3 Medium |
| A vulnerability has been found in SourceCodester Website Link Extractor 1.0. This vulnerability affects the function file_get_contents of the component URL Handler. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-3100 | 1 Asustor | 2 Adm, Data Master | 2026-04-17 | 6.5 Medium |
| The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such as authentication credentials and backup data. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51. | ||||
| CVE-2026-3179 | 1 Asustor | 2 Adm, Data Master | 2026-04-17 | 8.1 High |
| The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51. | ||||
| CVE-2026-3165 | 1 Tenda | 2 F453, F453 Firmware | 2026-04-17 | 8.8 High |
| A vulnerability was determined in Tenda F453 1.0.0.3. Impacted is the function fromSetWifiGusetBasic of the file /goform/AdvSetWrlsafeset of the component httpd. This manipulation of the argument mit_ssid causes buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-3166 | 1 Tenda | 2 F453, F453 Firmware | 2026-04-17 | 8.8 High |
| A vulnerability was identified in Tenda F453 1.0.0.3. The affected element is the function fromRouteStatic of the file /goform/RouteStatic of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-3167 | 1 Tenda | 2 F453, F453 Firmware | 2026-04-17 | 8.8 High |
| A security flaw has been discovered in Tenda F453 1.0.0.3. The impacted element is the function formWebTypeLibrary of the file /goform/webtypelibrary of the component httpd. Performing a manipulation of the argument webSiteId results in buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-3170 | 3 Pamzey, Patrick Mvuma, Sourcecodester | 3 Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System, Patients Waiting Area Queue Management System | 2026-04-17 | 2.4 Low |
| A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected is an unknown function of the file /patient-search.php. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. | ||||
| CVE-2026-25701 | 1 Opensuse | 1 Sdbootutil | 2026-04-17 | N/A |
| An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored. * overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak. This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca. | ||||
| CVE-2026-2624 | 2 Epati, Epati Cyber security Technologies | 2 Antikor Next Generation Firewall, Antikor Next Generation Firewall | 2026-04-17 | 9.8 Critical |
| Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentication Bypass.This issue affects Antikor Next Generation Firewall (NGFW): from v.2.0.1298 before v.2.0.1301. | ||||
| CVE-2026-28193 | 1 Jetbrains | 1 Youtrack | 2026-04-17 | 8.8 High |
| In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint | ||||
| CVE-2026-28194 | 1 Jetbrains | 1 Teamcity | 2026-04-17 | 4.3 Medium |
| In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow | ||||
| CVE-2026-28195 | 1 Jetbrains | 1 Teamcity | 2026-04-17 | 4.3 Medium |
| In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations | ||||
| CVE-2026-27692 | 2 Color, Internationalcolorconsortium | 2 Iccdev, Iccdev | 2026-04-17 | 7.1 High |
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Release() when strlen() reads past a heap buffer while parsing ICC profile XML text description tags, causing a crash. Commit 29d088840b962a7cdd35993dfabc2cb35a049847 fixes the issue. No known workarounds are available. | ||||
| CVE-2026-2878 | 1 Progress | 1 Telerik Ui For Asp.net Ajax | 2026-04-17 | 5.3 Medium |
| In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering. | ||||