Export limit exceeded: 365171 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12165 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-23183 | 2026-04-15 | 6.1 Medium | ||
| CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | ||||
| CVE-2023-52968 | 1 Mariadb | 1 Mariadb | 2026-04-15 | 4.9 Medium |
| MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under mysql_derived_prepare when derived is not yet prepared, leading to a find_field_in_table crash. | ||||
| CVE-2025-41251 | 1 Vmware | 3 Cloud Foundation, Nsx, Nsx-t | 2026-04-15 | 8.1 High |
| VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks. Impact: Username enumeration → credential brute force risk. Attack Vector: Remote, unauthenticated. Severity: Important. CVSSv3: 8.1 (High). Acknowledgments: Reported by the National Security Agency. Affected Products:VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x NSX-T 3.x VMware Cloud Foundation (with NSX) 5.x, 4.5.x Fixed Versions: NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None. | ||||
| CVE-2024-10667 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Content Slider Block plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1.5 via the [csb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-10159 | 1 Sophos | 1 Ap6 Series Wireless Access Points | 2026-04-15 | 9.8 Critical |
| An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). | ||||
| CVE-2024-2635 | 2026-04-15 | 7.3 High | ||
| The configuration pages available are not intended to be placed on an Internet facing web server, as they expose file paths to the client, who can be an attacker. Instead of rewriting these pages to avoid this vulnerability, they will be dismissed from future releases of Cegid Meta4 HR, as they do not offer product functionality | ||||
| CVE-2024-9617 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | N/A |
| An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file. | ||||
| CVE-2024-8361 | 2026-04-15 | 7.5 High | ||
| In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset | ||||
| CVE-2024-6961 | 1 Guardrailsai | 1 Guardrails | 2026-04-15 | 5.9 Medium |
| RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity. | ||||
| CVE-2024-22218 | 1 Terminalfour | 2 Terminalfour, Xml Jdbc | 2026-04-15 | 8.8 High |
| XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code execution (RCE), or performing Server-Side Request Forgery (SSRF) attacks. | ||||
| CVE-2024-5801 | 2026-04-15 | N/A | ||
| Enabled IP Forwarding feature in B&R Automation Runtime versions before 6.0.2 may allow remote attack-ers to compromise network security by routing IP-based packets through the host, potentially by-passing firewall, router, or NAC filtering. | ||||
| CVE-2024-56952 | 2026-04-15 | 6.5 Medium | ||
| An issue in Beijing Baidu Netcom Science & Technology Co Ltd Baidu Lite app (iOS version) 6.40.0 allows attackers to access user information via supplying a crafted link. | ||||
| CVE-2025-57802 | 2026-04-15 | N/A | ||
| Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1. | ||||
| CVE-2024-52596 | 1 Simplesamlphp | 1 Xml-common | 2026-04-15 | N/A |
| SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0. | ||||
| CVE-2025-57821 | 1 Basecamp | 1 Basecamp | 2026-04-15 | 4.2 Medium |
| Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie. | ||||
| CVE-2025-6942 | 1 Delinea | 1 Secret Server | 2026-04-15 | 3.8 Low |
| The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine. | ||||
| CVE-2024-51132 | 2 Fhir, Redhat | 3 Hapi Fhir, Apache Camel Spring Boot, Camel Quarkus | 2026-04-15 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | ||||
| CVE-2025-59687 | 1 Impqtr | 1 Aurora | 2026-04-15 | 4.3 Medium |
| IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization. | ||||
| CVE-2021-47621 | 1 Classgraph | 1 Classgraph | 2026-04-15 | 7.5 High |
| ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks. | ||||
| CVE-2021-47663 | 2026-04-15 | 8.1 High | ||
| Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access. | ||||