Export limit exceeded: 12165 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12165 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-43236 2026-04-15 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Easy PayPal Buy Now Button.This issue affects Easy PayPal Buy Now Button: from n/a through 1.9.
CVE-2025-6597 2 Mediawiki, Wikimedia 2 Mediawiki, Mediawiki 2026-04-15 0.0 Low
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
CVE-2025-4044 2 Lexmark, Microsoft 2 Universal Print Driver, Windows 2026-04-15 8.2 High
Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.
CVE-2025-14742 2 Brechtvds, Wordpress 2 Wp Recipe Maker, Wordpress 2026-04-15 4.3 Medium
The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access.
CVE-2025-54427 1 Polkadot 1 Frontier 2026-04-15 N/A
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. The extrinsic note_min_gas_price_target is an inherent extrinsic, meaning only the block producer can call it. To ensure correctness, the ProvideInherent trait should be implemented for each inherent, which includes the check_inherent call. This allows other nodes to verify if the input (in this case, the target value) is correct. However, prior to commit a754b3d, the check_inherent function has not been implemented for note_min_gas_price_target. This lets the block producer set the target value without verification. The target is then used to set the MinGasPrice, which has an upper and lower bound defined in the on_initialize hook. The block producer can set the target to the upper bound. Which also increases the upper and lower bounds for the next block. Over time, this could result in continuously raising the gas price, making contract execution too expensive and ineffective for users. An attacker could use this flaw to manipulate the gas price, potentially leading to significantly inflated transaction fees. Such manipulation could render contract execution prohibitively expensive for users, effectively resulting in a denial-of-service condition for the network. This is fixed in version a754b3d.
CVE-2025-55060 2026-04-15 6.1 Medium
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-36331 1 Amd 3 Epyc, Epyc 9004, Epyc Embedded 9004 2026-04-15 3.2 Low
Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity.
CVE-2025-51869 2026-04-15 7.5 High
Insecure Direct Object Reference (IDOR) vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted space_id, thread_id, and message_id parameters to the v1/space/{space_id}/thread/{thread_id}/message/{message_id} endpoint.
CVE-2024-4693 1 Redhat 2 Advanced Virtualization, Enterprise Linux 2026-04-15 5.5 Medium
A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop(). This flaw allows a malicious guest to crash the QEMU process on the host.
CVE-2023-7307 2026-04-15 N/A
Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity definitions, leading to potential disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on parser behavior. The vulnerability is due to improper configuration of the XML parser, which allows resolution of external entities without restriction. This product is now integrated into their IAM (Internet Access Management) platform and an affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-09-06 UTC.
CVE-2024-54159 2026-04-15 4.1 Medium
stalld through 1.19.7 allows local users to cause a denial of service (file overwrite) via a /tmp/rtthrottle symlink attack.
CVE-2024-53264 2026-04-15 N/A
bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter. The loading endpoint accepts and uses an unvalidated "next" parameter for redirects. Ex. visiting: `/loading?next=https://google.com` while authenticated will cause the page will redirect to google.com. This vulnerability could be used in phishing attacks by redirecting users from a legitimate application URL to malicious sites. This issue has been addressed in version 1.5.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-2493 2026-04-15 7.5 High
Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.
CVE-2025-49091 2026-04-15 8.2 High
KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
CVE-2024-24980 1 Intel 1 Xeon Processors 2026-04-15 6.1 Medium
Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-42185 2026-04-15 2.5 Low
BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. This allows an attacker to exploit this vulnerability by injecting malicious XML content, which can lead to various issues including denial of service and unauthorized access.
CVE-2023-51803 1 Linuxserver 1 Heimdall Application Dashboard 2026-04-15 9.8 Critical
LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.
CVE-2024-25066 1 Rsa 1 Authentication Manager 2026-04-15 4.3 Medium
RSA Authentication Manager before 8.7 SP2 Patch 1 allows XML External Entity (XXE) attacks via a license file, resulting in attacker-controlled files being stored on the product's server. Data exfiltration cannot occur.
CVE-2024-22262 1 Redhat 1 Apache Camel Spring Boot 2026-04-15 8.1 High
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVE-2024-4076 2 Isc, Redhat 7 Bind, Enterprise Linux, Openshift and 4 more 2026-04-15 7.5 High
Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.