Export limit exceeded: 345203 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345203 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69893 | 1 Satoshilabs | 3 Trezor One, Trezor Safe, Trezor T | 2026-04-17 | 4.6 Medium |
| A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched. | ||||
| CVE-2026-2450 | 1 Upkeeper Solutions | 1 Upkeeper Instant Privlege Access | 2026-04-17 | N/A |
| .NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0. | ||||
| CVE-2026-33929 | 1 Apache | 1 Pdfbox Examples | 2026-04-17 | 4.3 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository. | ||||
| CVE-2026-34721 | 1 Zammad | 1 Zammad | 2026-04-17 | 6.5 Medium |
| Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | ||||
| CVE-2025-12454 | 1 Opentext | 1 Vertica | 2026-04-17 | 6.1 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ Vertica allows Reflected XSS. The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X. | ||||
| CVE-2025-12455 | 1 Opentext | 1 Vertica | 2026-04-17 | 7.5 High |
| Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing. The vulnerability could lead to Password Brute Forcing in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X. | ||||
| CVE-2026-27676 | 1 Sap | 1 S/4hana | 2026-04-17 | 4.3 Medium |
| Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted. | ||||
| CVE-2025-31991 | 1 Hclsoftware | 1 Velocity | 2026-04-17 | 6.8 Medium |
| Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. | ||||
| CVE-2025-40745 | 1 Siemens | 7 Simcenter 3d, Simcenter Femap, Simcenter Star-ccm\+ and 4 more | 2026-04-17 | 3.7 Low |
| A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | ||||
| CVE-2026-24318 | 1 Sap Se | 1 Sap Business Objects Business Intelligence Platform | 2026-04-17 | 4.2 Medium |
| Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected. | ||||
| CVE-2026-27668 | 1 Siemens | 1 Ruggedcom Crossbow Secure Access Manager Primary (sam-p) | 2026-04-17 | 8.8 High |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level. | ||||
| CVE-2026-6100 | 1 Python | 1 Cpython | 2026-04-17 | 8.1 High |
| Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. | ||||
| CVE-2026-34262 | 1 Sap | 2 Hana Cockpit, Hana Database Explorer | 2026-04-17 | 5 Medium |
| Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer | ||||
| CVE-2026-34261 | 1 Sap | 2 Business Analytics, Content Management | 2026-04-17 | 6.5 Medium |
| Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability. | ||||
| CVE-2026-34264 | 1 Sap | 1 Erp Human Capital Management | 2026-04-17 | 6.5 Medium |
| During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected. | ||||
| CVE-2026-34257 | 1 Sap | 1 Netweaver Application Server Abap | 2026-04-17 | 6.1 Medium |
| Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability. | ||||
| CVE-2026-25654 | 1 Siemens | 1 Sinec-nms | 2026-04-17 | 8.8 High |
| A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. | ||||
| CVE-2026-27672 | 1 Sap | 1 Material Master Application | 2026-04-17 | 4.3 Medium |
| The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system. | ||||
| CVE-2026-27679 | 1 Sap | 1 S/4hana | 2026-04-17 | 6.5 Medium |
| Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted. | ||||
| CVE-2026-0512 | 1 Sap | 1 Supplier Relationship Management | 2026-04-17 | 6.1 Medium |
| Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. | ||||