Export limit exceeded: 349431 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349431 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9059 | 1 Broadcom | 2 Broadcom, Desktop Management Suite | 2026-04-15 | N/A |
| The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking. | ||||
| CVE-2023-6949 | 1 Dji | 1 Mini 3 Pro Firmware | 2026-04-15 | 5.2 Medium |
| A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication. | ||||
| CVE-2023-6950 | 2026-04-15 | 3 Low | ||
| An Improper Input Validation vulnerability affecting the FTP service running on the DJI Mavic Mini 3 Pro could allow an attacker to craft a malicious packet containing a malformed path provided to the FTP SIZE command that leads to a denial-of-service attack of the FTP service itself. | ||||
| CVE-2023-6951 | 2026-04-15 | 6.6 Medium | ||
| A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to the drone’s Wi- Fi network. This, in turn, allows the attacker to perform unauthorized interaction with the network services exposed by the drone and to potentially decrypt the Wi-Fi traffic exchanged between the drone and the Android/IOS device of the legitimate user during QuickTransfer mode. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620. | ||||
| CVE-2023-7003 | 1 Sciener | 1 Ttlock App | 2026-04-15 | 6.8 Medium |
| The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused to compromise other locks using the Sciener firmware. | ||||
| CVE-2023-7017 | 1 Sciener | 1 Kontrol Lux Firmware | 2026-04-15 | 9.8 Critical |
| Sciener locks' firmware update mechanism do not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A challenge request can be sent to the lock with a command to prepare for an update, rather than an unlock request, allowing an attacker to compromise the device. | ||||
| CVE-2023-7049 | 2026-04-15 | 4.3 Medium | ||
| The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cm_fieldshow' shortcode due to missing validation on the 'job_id' user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata. | ||||
| CVE-2023-7066 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2026-04-15 | 7.8 High |
| The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process. | ||||
| CVE-2023-7073 | 1 Creative Motion | 1 Auto Featured Image | 2026-04-15 | 6.4 Medium |
| The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library AJAX action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-55049 | 1 Baicells | 1 Neutrino 430 | 2026-04-15 | 9.1 Critical |
| Use of Default Cryptographic Key (CWE-1394) | ||||
| CVE-2025-55050 | 2026-04-15 | 9.8 Critical | ||
| CWE-1242: Inclusion of Undocumented Features | ||||
| CVE-2023-7273 | 1 Kiteworks | 1 Owncloud | 2026-04-15 | 6.8 Medium |
| Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim. | ||||
| CVE-2023-7286 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above. | ||||
| CVE-2023-7295 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Video Grid plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search_term parameter in versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-55052 | 2026-04-15 | 4.3 Medium | ||
| CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | ||||
| CVE-2023-7304 | 1 Ruijie | 1 Rg-uac | 2026-04-15 | N/A |
| Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign. | ||||
| CVE-2023-7305 | 1 Guangzhou Smart Software | 1 Smartbi | 2026-04-15 | N/A |
| SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild. | ||||
| CVE-2023-7306 | 2 Najeebmedia, Wordpress | 2 Frontend File Manager Plugin, Wordpress | 2026-04-15 | 7.5 High |
| The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts. | ||||
| CVE-2023-7311 | 1 Bytevalue | 1 Flow Control Router | 2026-04-15 | N/A |
| BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The `path` parameter is not properly validated and is echoed into a shell context, allowing an attacker to inject and execute arbitrary shell commands on the device. Successful exploitation can lead to writing backdoors, privilege escalation on the host, and full compromise of the router and its management functions. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign. | ||||
| CVE-2025-55053 | 2026-04-15 | 6.5 Medium | ||
| CWE-328: Use of Weak Hash | ||||