Export limit exceeded: 346797 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346797 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3079 | 1 Asus | 7 Rt-ac68u Firmware, Rt-ac86u Firmware, Rt-ax57 Firmware and 4 more | 2026-04-15 | 7.2 High |
| Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device. | ||||
| CVE-2024-50616 | 1 Ironmansoftware | 1 Powershell Universal | 2026-04-15 | 8.8 High |
| Ironman PowerShell Universal 5.x before 5.0.12 allows an authenticated attacker to elevate their privileges and view job information. | ||||
| CVE-2025-0579 | 1 Opencart | 1 Opencart | 2026-04-15 | 7.3 High |
| A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the argument x-username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11690 | 1 Cfmoto | 1 Ride | 2026-04-15 | 8.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix. | ||||
| CVE-2024-30801 | 1 Beijing Xinwang Medical Information Technology | 1 Cloud Based Customer Service Management Platform | 2026-04-15 | 5.5 Medium |
| SQL Injection vulnerability in Cloud based customer service management platform v.1.0.0 allows a local attacker to execute arbitrary code via a crafted payload to Login.asp component. | ||||
| CVE-2024-30848 | 1 Silversky | 1 Email Service | 2026-04-15 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in SilverSky E-mail service version 5.0.3126 allows remote attackers to inject arbitrary web script or HTML via the version parameter. | ||||
| CVE-2024-50624 | 1 Kde | 1 Kmail | 2026-04-15 | 5.9 Medium |
| ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. | ||||
| CVE-2025-11887 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings. | ||||
| CVE-2024-50636 | 1 Schrodinger | 1 Pymol | 2026-04-15 | 9.8 Critical |
| PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote Command Execution (RCE). This vulnerability arises because PyMOL treats .PYM files as Python scripts without properly validating or restricting the commands within the script, enabling attackers to run unauthorized commands in the context of the user running the application. | ||||
| CVE-2024-30896 | 1 Influxdata | 1 Influxdb | 2026-04-15 | 9.1 Critical |
| InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue. | ||||
| CVE-2025-10946 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was detected in nuz007 smsboom up to 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674. The affected element is an unknown function of the file dy.php. Performing manipulation of the argument hm results in cross site scripting. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | ||||
| CVE-2024-50640 | 2026-04-15 | 9.8 Critical | ||
| jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function | ||||
| CVE-2024-30952 | 2026-04-15 | 6.1 Medium | ||
| A stored cross-site scripting (XSS) vulnerability in PESCMS-TEAM v2.3.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the domain input field under /youdoamin/?g=Team&m=Setting&a=action. | ||||
| CVE-2025-12197 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-30964 | 1 Open Robotics | 3 Nav2 Humble, Ros2 Humble, Ros2 Navigation2 | 2026-04-15 | 7.8 High |
| Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 (ROS2) navigation2- ROS2-humble and navigation 2-humble allows a local attacker to execute arbitrary code via the initial_pose_sub thread created by nav2_bt_navigator | ||||
| CVE-2024-50647 | 1 Python Food Ordering System | 1 Python Food Ordering System | 2026-04-15 | 7.5 High |
| The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through https://ip:port/api/myapp/index/user/info?id=1 And modify the ID value to obtain sensitive user information beyond authorization. | ||||
| CVE-2025-12452 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12465 | 1 Opensolution | 1 Quick.cms | 2026-04-15 | N/A |
| A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2024-50671 | 2026-04-15 | 4.3 Medium | ||
| Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users. | ||||
| CVE-2024-3100 | 1 Lenovo | 55 100w Gen 3 Firmware, 100w Gen 4 Firmware, 13w Yoga Firmware and 52 more | 2026-04-15 | 6.7 Medium |
| A potential buffer overflow vulnerability was reported in some Lenovo Notebook products that could allow a local attacker with elevated privileges to execute arbitrary code. | ||||