Export limit exceeded: 346703 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 346703 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346703 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11696 | 1 Rockwellautomation | 1 Studio 5000 Simulation Interface | 2026-04-15 | N/A |
| A local server-side request forgery (SSRF) security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes. | ||||
| CVE-2025-11680 | 1 Warmcat | 1 Libwebsockets | 2026-04-15 | 3.1 Low |
| Out-of-bounds Write in unfilter_scanline in warmcat libwebsockets allows, when the LWS_WITH_UPNG flag is enabled during compilation and the HTML display stack is used, to write past a heap allocated buffer possibly causing a crash, when the user visits an attacker controlled website that contains a crafted PNG file with a big width value that causes an integer overflow which value is used for determining the size of a heap allocation. | ||||
| CVE-2025-11697 | 1 Rockwellautomation | 1 Studio 5000 Simulation Interface | 2026-04-15 | N/A |
| A local code execution security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot. | ||||
| CVE-2025-11730 | 1 Zyxel | 4 Atp Series Firmware, Usg20(w)-vpn Series Firmware, Usg Flex 50(w) Series Firmware and 1 more | 2026-04-15 | 7.2 High |
| A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. | ||||
| CVE-2025-11743 | 1 Rockwellautomation | 1 Compactlogix 5370 | 2026-04-15 | N/A |
| A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. | ||||
| CVE-2025-12046 | 1 Lenovo | 2 App Store, Browser | 2026-04-15 | 7.8 High |
| A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions. | ||||
| CVE-2025-11765 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11567 | 1 Schneider-electric | 1 Powerchute Serial Shutdown | 2026-04-15 | N/A |
| CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured. | ||||
| CVE-2025-11566 | 1 Schneider-electric | 1 Powerchute Serial Shutdown | 2026-04-15 | N/A |
| CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. | ||||
| CVE-2025-11545 | 2026-04-15 | N/A | ||
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions. | ||||
| CVE-2025-1154 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in xxyopen Novel up to 3.4.1. Affected by this issue is some unknown functionality of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | ||||
| CVE-2025-11498 | 1 Br-automation | 1 Automation Runtime | 2026-04-15 | 6.1 Medium |
| An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened. | ||||
| CVE-2025-11488 | 1 D-link | 1 Dir-852 | 2026-04-15 | 7.3 High |
| A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-11468 | 1 Python | 1 Cpython | 2026-04-15 | 4.5 Medium |
| When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | ||||
| CVE-2025-11466 | 1 Alltena | 1 Allegra | 2026-04-15 | N/A |
| Allegra DatabaseBackupBL Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the DatabaseBackupBL class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-27136. | ||||
| CVE-2025-1146 | 1 Crowdstrike | 1 Falcon | 2026-04-15 | 8.1 High |
| CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where our TLS connection routine to the CrowdStrike cloud can incorrectly process server certificate validation. This could allow an attacker with the ability to control network traffic to potentially conduct a man-in-the-middle (MiTM) attack. CrowdStrike identified this issue internally and released a security fix in all Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor versions 7.06 and above. CrowdStrike identified this issue through our longstanding, rigorous security review process, which has been continually strengthened with deeper source code analysis and ongoing program enhancements as part of our commitment to security resilience. CrowdStrike has no indication of any exploitation of this issue in the wild. CrowdStrike has leveraged its world class threat hunting and intelligence capabilities to actively monitor for signs of abuse or usage of this flaw and will continue to do so. Windows and Mac sensors are not affected by this. | ||||
| CVE-2025-1145 | 2026-04-15 | 6.1 Medium | ||
| NetVision Information ISOinsight has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript code in the user's browser through phishing techniques. | ||||
| CVE-2025-11535 | 2 Microsoft, Mongodb | 3 Windows, Connector For Bi, Mongodb | 2026-04-15 | N/A |
| MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24. | ||||
| CVE-2025-7371 | 1 Okta | 1 On-premises Provisioning Agent | 2026-04-15 | 6.8 Medium |
| Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions. | ||||
| CVE-2025-1143 | 1 Billion Electric | 1 M120n | 2026-04-15 | 8.4 High |
| Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system. | ||||