Export limit exceeded: 350381 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 350381 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (350381 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-28303 | 1 Sourcecodester | 1 Open Source Medicine Ordering System | 2026-04-15 | 9.8 Critical |
| Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php. | ||||
| CVE-2024-53843 | 1 Cloud Native Computing Foundation | 1 Keycloak-connector | 2026-04-15 | 8.1 High |
| @dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due to improper sanitization of the URL parameters, allowing the URL bar's contents to be injected and reflected into the HTML page. An attacker could craft a malicious URL to execute arbitrary JavaScript in the browser of a victim who visits the link. Any application utilizing this authentication library is vulnerable. Users of the application are at risk if they can be lured into clicking on a crafted malicious link. The vulnerability has been patched in version 2.5.5 by ensuring proper sanitization and escaping of user input in the affected URL parameters. Users are strongly encouraged to upgrade. If upgrading is not immediately possible, users can implement the following workarounds: 1. Employ a Web Application Firewall (WAF) to block malicious requests containing suspicious URL parameters. or 2. Apply input validation and escaping directly within the application’s middleware or reverse proxy layer, specifically targeting the affected parameters. | ||||
| CVE-2024-28325 | 1 Asus | 1 Rt-n12\+ B1 | 2026-04-15 | 6.1 Medium |
| Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings. | ||||
| CVE-2025-62356 | 1 Qodo | 1 Gen Ide | 2026-04-15 | 7.5 High |
| A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection. | ||||
| CVE-2024-2835 | 2026-04-15 | 8.7 High | ||
| A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited. | ||||
| CVE-2025-5681 | 2026-04-15 | 6.5 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 23.06.2025. | ||||
| CVE-2024-28389 | 2026-04-15 | 9.8 Critical | ||
| SQL injection vulnerability in KnowBand spinwheel v.3.0.3 and before allows a remote attacker to gain escalated privileges and obtain sensitive information via the SpinWheelFrameSpinWheelModuleFrontController::sendEmail() method. | ||||
| CVE-2024-28394 | 1 Advancedplugins | 1 Reportsstatistics | 2026-04-15 | 9.8 Critical |
| An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module. | ||||
| CVE-2025-5484 | 2026-04-15 | 8.3 High | ||
| A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. | ||||
| CVE-2024-28436 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2590, DAP-2690, DAP-2695, DAP-3520, DAP-3662 allows a remote attacker to execute arbitrary code via the reload parameter in the session_login.php component. | ||||
| CVE-2025-5485 | 2026-04-15 | 8.6 High | ||
| User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences. | ||||
| CVE-2024-28519 | 1 Microworld Technologies | 1 Escan Anti-virus | 2026-04-15 | 7.8 High |
| A kernel handle leak issue in ProcObsrvesx.sys 4.0.0.49 in MicroWorld Technologies Inc eScan Antivirus could allow privilege escalation for low-privileged users. | ||||
| CVE-2024-28520 | 2026-04-15 | 6.5 Medium | ||
| File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component. | ||||
| CVE-2024-28627 | 1 Flipsnack | 1 Flipsnack | 2026-04-15 | 7.5 High |
| An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file. | ||||
| CVE-2024-28699 | 1 Json | 1 Pdf2json | 2026-04-15 | 7.8 High |
| A buffer overflow vulnerability in pdf2json v0.70 allows a local attacker to execute arbitrary code via the GString::copy() and ImgOutputDev::ImgOutputDev function. | ||||
| CVE-2024-56316 | 2026-04-15 | 7.5 High | ||
| In AXESS ACS (Auto Configuration Server) through 5.2.0, unsanitized user input in the TR069 API allows remote unauthenticated attackers to cause a permanent Denial of Service via crafted TR069 requests on TCP port 9675 or 7547. Rebooting does not resolve the permanent Denial of Service. | ||||
| CVE-2024-28717 | 1 Openstack | 1 Storlets | 2026-04-15 | 4.9 Medium |
| An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component. | ||||
| CVE-2024-28726 | 1 Dlink | 1 Dwr-2000m Firmware | 2026-04-15 | 8 High |
| An issue in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to execute arbitrary code via a crafted payload to the Diagnostics function. | ||||
| CVE-2024-28728 | 1 Dlink | 1 Dwr-2000m | 2026-04-15 | 6.6 Medium |
| Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via a crafted payload to the WiFi SSID Name field. | ||||
| CVE-2024-28736 | 1 Debezium Community Project | 1 Debezium-ui | 2026-04-15 | 7.1 High |
| An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function. | ||||