Export limit exceeded: 348073 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 348073 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348073 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62366 | 1 Mailgen | 1 Mailgen | 2026-04-15 | N/A |
| mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts to remove HTML tags, but if tags are provided as encoded HTML entities they are not removed and are later decoded, resulting in active HTML (for example an img tag with an event handler) in the supposed plaintext output. In contexts where the generated plaintext string is subsequently rendered as HTML, this can allow execution of attacker‑controlled JavaScript. Versions 2.0.31 and later contain a fix. No known workarounds exist. | ||||
| CVE-2024-30802 | 1 G-sky | 1 Vehicle Management System | 2026-04-15 | 9.8 Critical |
| An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component. | ||||
| CVE-2024-30804 | 1 Asus | 1 Fan Xpert | 2026-04-15 | 9.8 Critical |
| An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests. | ||||
| CVE-2024-30875 | 1 Jqueryui | 1 Jquery Ui | 2026-04-15 | 7.1 High |
| Cross Site Scripting vulnerability in JavaScript Library jquery-ui v.1.13.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the window.addEventListener component. NOTE: this is disputed by the Supplier because it cannot be reproduced, and because the exploitation example does not indicate whether, or how, the example website is using jQuery UI. | ||||
| CVE-2024-30931 | 1 Emby | 1 Media Server | 2026-04-15 | 6.1 Medium |
| Stored Cross Site Scripting vulnerability in Emby Media Server Emby Media Server 4.8.3.0 allows a remote attacker to escalate privileges via the notifications.html component. | ||||
| CVE-2024-30963 | 1 Open Robotics | 3 Nav2 Humble, Ros2 Humble, Ros2 Navigation2 | 2026-04-15 | 7.8 High |
| Buffer Overflow vulnerability in Open Robotics Robotic Operating System 2 (ROS2) navigation2- ROS2-humble and navigation 2-humble allows a local attacker to execute arbitrary code via a crafted script. | ||||
| CVE-2024-30973 | 2026-04-15 | 8.8 High | ||
| An issue in V-SOL G/EPON ONU HG323AC-B with firmware version V2.0.08-210715 allows an attacker to execute arbtirary code and obtain sensitive information via crafted POST request to /boaform/getASPdata/formFirewall, /boaform/getASPdata/formAcc. | ||||
| CVE-2024-30977 | 1 Secnet Security Network Intelligent Ac Management System | 1 Secnet Security Network Intelligent Ac Management System | 2026-04-15 | 7.8 High |
| An issue in Secnet Security Network Intelligent AC Management System v.1.02.040 allows a local attacker to escalate privileges via the password component. | ||||
| CVE-2024-3098 | 2026-04-15 | N/A | ||
| A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw. | ||||
| CVE-2024-31032 | 1 Huashi | 1 Private Cloud Cdn Live Streaming Acceleration Server | 2026-04-15 | 9.8 Critical |
| An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component. | ||||
| CVE-2024-31069 | 2026-04-15 | 7.4 High | ||
| IO-1020 Micro ELD web server uses a default password for authentication. | ||||
| CVE-2025-34180 | 1 Netsupport | 1 Netsupport Manager | 2026-04-15 | N/A |
| NetSupport Manager < 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding scheme. An attacker who obtains access to a deployed client configuration file can decode the stored value to recover the plaintext Gateway Key. Possession of the Gateway Key allows unauthorized access to NetSupport Manager connectivity services and enables remote control of systems managed through the same key. | ||||
| CVE-2024-31081 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2026-04-15 | 7.3 High |
| A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | ||||
| CVE-2024-3109 | 2026-04-15 | 6.3 Medium | ||
| A hard-coded AES key vulnerability was reported in the Motorola GuideMe application, along with a lack of URI sanitation, could allow for a local attacker to read arbitrary files. | ||||
| CVE-2025-34181 | 1 Netsupport | 1 Netsupport Manager | 2026-04-15 | N/A |
| NetSupport Manager < 14.12.0001 contains an arbitrary file write vulnerability in its Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This can be leveraged to place attacker-controlled DLLs or executables in privileged paths and achieve remote code execution in the context of the NetSupport Manager connectivity service. | ||||
| CVE-2025-53528 | 1 Zmievsa | 1 Cadwyn | 2026-04-15 | 7.6 High |
| Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3. | ||||
| CVE-2024-31107 | 2026-04-15 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DiSo Development Team OpenID allows Reflected XSS.This issue affects OpenID: from n/a through 3.6.1. | ||||
| CVE-2024-31121 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in HeartThis <= 0.1.0 versions. | ||||
| CVE-2024-31118 | 2 Smartypantsplugins, Wordpress | 2 Sp Project & Document Manager, Wordpress | 2026-04-15 | 6.5 Medium |
| Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70. | ||||
| CVE-2024-31127 | 1 Zscaler | 1 Client Connector | 2026-04-15 | 7.3 High |
| An improper verification of a loaded library in Zscaler Client Connector on Mac < 4.2.0.241 may allow a local attacker to elevate their privileges. | ||||