Search Results (26448 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-23174 2026-04-15 7.5 High
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-24514 1 Kubernetes 1 Ingress-nginx 2026-04-15 8.8 High
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVE-2025-24513 1 Kubernetes 1 Ingress-nginx 2026-04-15 4.8 Medium
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
CVE-2025-67718 1 Form 1 Form.io 2026-04-15 N/A
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
CVE-2024-48310 2026-04-15 7.5 High
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.
CVE-2025-3092 2026-04-15 7.5 High
An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
CVE-2024-4022 2026-04-15 5.3 Medium
A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /version.js of the component Version Data Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-261674 is the identifier assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024.
CVE-2025-6386 1 Parisneo 1 Lollms 2026-04-15 N/A
The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.
CVE-2024-43319 2026-04-15 4.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in bPlugins LLC Flash & HTML5 Video.This issue affects Flash & HTML5 Video: from n/a through 2.5.31.
CVE-2025-59427 1 Cloudflare 2 Vite, Workerd 2026-04-15 N/A
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.
CVE-2024-33753 2026-04-15 8.2 High
Section Camera V2.5.5.3116-S50-SMA-B20160811 and earlier versions allow the accounts and passwords of administrators and users to be changed without authorization.
CVE-2025-62979 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
Insertion of Sensitive Information Into Sent Data vulnerability in airesvsg ACF to REST API acf-to-rest-api allows Retrieve Embedded Sensitive Data.This issue affects ACF to REST API: from n/a through <= 3.3.4.
CVE-2025-68006 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23.
CVE-2025-4563 1 Kubernetes 1 Kubernetes 2026-04-15 2.7 Low
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
CVE-2025-10285 1 Silabs 1 Simplicity Device Manager 2026-04-15 N/A
The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user's domain password.
CVE-2025-0941 2026-04-15 5.8 Medium
MET ONE 3400+ instruments running software v1.0.41 can, under rare conditions, temporarily store credentials in plain text within the system. This data is not available to unauthenticated users.
CVE-2025-31126 2026-04-15 5.3 Medium
Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8.
CVE-2025-7693 1 Rockwellautomation 1 Micro800 2026-04-15 N/A
A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault.
CVE-2025-12491 1 Senstar 1 Symphony 2026-04-15 N/A
Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908.
CVE-2025-0814 2026-04-15 5.3 Medium
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the network services running on the product when malicious IEC61850-MMS packets are sent to the device. The core functionality of the breaker remains intact during the attack.