Export limit exceeded: 12156 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12156 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-34064 2026-04-15 N/A
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.
CVE-2024-9262 2026-04-15 6.5 Medium
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.
CVE-2024-22439 2026-04-15 6.9 Medium
A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.
CVE-2024-1227 1 Rejetto 1 Http File Server 2026-04-15 6.5 Medium
An open redirect vulnerability, the exploitation of which could allow an attacker to create a custom URL and redirect a legitimate page to a malicious site.
CVE-2024-34015 2026-04-15 N/A
Sensitive information disclosure during file browsing due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.3.818, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892.
CVE-2025-68937 1 Forgejo 1 Forgejo 2026-04-15 9.9 Critical
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
CVE-2025-7766 1 Lantronix 1 Provisioning Manager 2026-04-15 8 High
Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.
CVE-2024-13607 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.
CVE-2024-2419 1 Redhat 1 Build Keycloak 2026-04-15 7.1 High
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.
CVE-2024-39697 2026-04-15 8.6 High
phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.
CVE-2024-31601 1 Panabit 1 Panalog 2026-04-15 9.8 Critical
An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component.
CVE-2025-10229 2026-04-15 4.3 Medium
A vulnerability has been found in Freshwork up to 1.2.3. This impacts an unknown function of the file /api/v2/logout. Such manipulation of the argument post_logout_redirect_uri leads to open redirect. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.3 will fix this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-38874 1 Typo3 1 Events2 2026-04-15 5.4 Medium
An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.
CVE-2024-38821 1 Spring 1 Webflux 2026-04-15 9.1 Critical
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
CVE-2025-41402 1 Gallagher 1 Command Centre 2026-04-15 5.5 Medium
Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server:  9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), all versions of 9.00 and prior.
CVE-2025-29864 2 Estsoft, Microsoft 2 Alzip, Windows 2026-04-15 N/A
Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29.
CVE-2024-24312 2026-04-15 7.5 High
SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component.
CVE-2024-25091 2026-04-15 9.1 Critical
Protection mechanism failure issue exists in RevoWorks SCVX prior to scvimage4.10.21_1013 (when using 'VirusChecker' or 'ThreatChecker' feature) and RevoWorks Browser prior to 2.2.95 (when using 'VirusChecker' or 'ThreatChecker' feature). If data containing malware is saved in a specific file format (eml, dmg, vhd, iso, msi), malware may be taken outside the sandboxed environment.
CVE-2025-3717 1 Grafana 1 Grafana 2026-04-15 N/A
When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it  could result in  the wrong user identifier being used, and information for which the viewer is not authorized being returned.  This issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1.
CVE-2025-5455 1 Redhat 1 Enterprise Linux 2026-04-15 5.3 Medium
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.