Export limit exceeded: 363576 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (5647 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29556 | 1 Exagrid | 1 Ex10 | 2026-04-15 | 7.3 High |
| ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval. However, a flaw in the account creation process allows an attacker to bypass these restrictions via API request manipulation. An attacker with an Admin access can intercept and modify the API request during user creation, altering the parameters to assign the new account to the ExaGrid Security Officers group without the required approval. | ||||
| CVE-2025-61973 | 1 Epic Games | 1 Epic Games Store | 2026-04-15 | 8.8 High |
| A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | ||||
| CVE-2022-43110 | 1 Voltronicpower | 1 Viewpower | 2026-04-15 | 9.8 Critical |
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | ||||
| CVE-2025-22391 | 1 Intel | 1 Sigtest | 2026-04-15 | 6.7 Medium |
| Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2024-10124 | 2026-04-15 | 9.8 Critical | ||
| The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1. | ||||
| CVE-2025-0460 | 2026-04-15 | 7.3 High | ||
| A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart. This affects an unknown part of the file /index.php?route=extension/module/blog_add. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45982 | 1 Scheduler | 1 Scheduler | 2026-04-15 | 8.8 High |
| A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts. | ||||
| CVE-2025-30132 | 2026-04-15 | 9.1 Critical | ||
| An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept sensitive device traffic. If the dashcam or related services attempt to resolve this domain over the public Internet instead of locally, it could lead to data exfiltration or man-in-the-middle attacks. | ||||
| CVE-2024-1678 | 2 Dunhakdis, Wordpress | 2 Subway-private Site Option, Wordpress | 2026-04-15 | 5.3 Medium |
| The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post content. | ||||
| CVE-2025-0980 | 2 Linux, Nokia | 2 Linux, Service Router Linux | 2026-04-15 | 6.4 Medium |
| Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. | ||||
| CVE-2025-15109 | 1 Jackq | 1 Xcms | 2026-04-15 | 7.3 High |
| A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2024-40117 | 1 Solar-log | 1 Solar-log 1000 Firmware | 2026-04-15 | 9.8 Critical |
| Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. Not existing for SL 200, 500, 1000 / fixed in 4.2.8 for SL 250, 300, 1200, 2000, SL 50 Gateway / fixed in 5.1.2 / 6.0.0 for SL Base. | ||||
| CVE-2025-25381 | 2026-04-15 | 7.5 High | ||
| Incorrect access control in the KSRTC AWATAR app of Karnataka State Road Transport Corporation v1.3.0 allows to view sensitive information such as usernames and passwords. | ||||
| CVE-2024-22830 | 1 Windows-kernel | 1 Ace-base-sys | 2026-04-15 | 5.3 Medium |
| Anti-Cheat Expert's Windows kernel module "ACE-BASE.sys" version 1.0.2202.6217 does not perform proper access control when handling system resources. This allows a local attacker to escalate privileges from regular user to System or PPL level. | ||||
| CVE-2025-8128 | 1 Zhousg | 1 Letao | 2026-04-15 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in zhousg letao up to 7d8df0386a65228476290949e0413de48f7fbe98. This issue affects some unknown processing of the file routes\bf\product.js. The manipulation of the argument pictrdtz leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2022-47036 | 1 Siklu | 1 Tg Terragraph | 2026-04-15 | 9.8 Critical |
| Siklu TG Terragraph devices before approximately 2.1.1 have a hardcoded root password that has been revealed via a brute force attack on an MD5 hash. It can be used for "debug login" by an admin. NOTE: the vulnerability is not fixed by the 2.1.1 firmware; instead, it is fixed in newer hardware, which would typically be used with firmware 2.1.1 or later. | ||||
| CVE-2024-21741 | 1 Gigadevice | 1 Gd32e103c8t6 | 2026-04-15 | 9.8 Critical |
| GigaDevice GD32E103C8T6 devices have Incorrect Access Control. | ||||
| CVE-2025-20076 | 2026-04-15 | 5 Medium | ||
| Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | ||||
| CVE-2025-0033 | 1 Amd | 3 Epyc, Epyc 7003, Epyc 9005 | 2026-04-15 | 6 Medium |
| Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity. | ||||
| CVE-2025-20052 | 2026-04-15 | 7.3 High | ||
| Improper access control for some Intel(R) Graphics software may allow an authenticated user to potentially enable denial of service via local access. | ||||