Export limit exceeded: 23269 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 12154 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12154 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-44331 1 Gstreamer Project 1 Gst-rtsp-server 2026-04-15 7.5 High
Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests.
CVE-2024-45247 2026-04-15 6.1 Medium
Sonarr – CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVE-2025-46344 1 Auth0 1 Nextjs-auth0 2026-04-15 N/A
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.
CVE-2025-50422 1 Freedesktop 1 Poppler 2026-04-15 2.9 Low
Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c.
CVE-2024-45981 1 Bookreviewlibrary 1 Bookreviewlibrary 2026-04-15 8.8 High
A host header injection vulnerability in BookReviewLibrary 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link.
CVE-2024-46040 2026-04-15 6.5 Medium
IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired.
CVE-2024-9262 2026-04-15 6.5 Medium
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.
CVE-2024-22248 2026-04-15 7.1 High
VMware SD-WAN Orchestrator contains an open redirect vulnerability. A malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.
CVE-2025-7899 2026-04-15 N/A
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
CVE-2024-2419 1 Redhat 1 Build Keycloak 2026-04-15 7.1 High
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
CVE-2025-41402 1 Gallagher 1 Command Centre 2026-04-15 5.5 Medium
Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server:  9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), all versions of 9.00 and prior.
CVE-2024-24983 1 Intel 1 Ethernet Complete Driver Pack 2026-04-15 6.5 Medium
Protection mechanism failure in firmware for some Intel(R) Ethernet Network Controllers and Adapters E810 Series before version 4.4 may allow an unauthenticated user to potentially enable denial of service via network access.
CVE-2024-25091 2026-04-15 9.1 Critical
Protection mechanism failure issue exists in RevoWorks SCVX prior to scvimage4.10.21_1013 (when using 'VirusChecker' or 'ThreatChecker' feature) and RevoWorks Browser prior to 2.2.95 (when using 'VirusChecker' or 'ThreatChecker' feature). If data containing malware is saved in a specific file format (eml, dmg, vhd, iso, msi), malware may be taken outside the sandboxed environment.
CVE-2025-3717 1 Grafana 1 Grafana 2026-04-15 N/A
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it  could result in  the wrong user identifier being used, and information for which the viewer is not authorized being returned.  This issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1.
CVE-2024-48217 1 Sismart 1 Cms 2026-04-15 8.8 High
An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation.
CVE-2024-4843 2026-04-15 4.3 Medium
ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.
CVE-2025-41358 1 Cronosweb I2a 1 Cronosweb 2026-04-15 N/A
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
CVE-2025-4407 2026-04-15 6.7 Medium
Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.
CVE-2025-44044 2026-04-15 7.5 High
Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system.
CVE-2025-0325 2026-04-15 4.3 Medium
A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device.