Export limit exceeded: 355834 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 355834 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (355834 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8432 | 1 Centreon | 1 Centreon | 2026-04-15 | 8.4 High |
| Incorrect Default Permissions vulnerability in Centreon Infra Monitoring (MBI modules) allows Embedding Scripts within Scripts by CentreonBI user account on the MBI server This issue affects Infra Monitoring: from 24.10.0 before 24.10.6, from 24.04.0 before 24.04.9, from 23.10.0 before 23.10.15. | ||||
| CVE-2025-8448 | 1 Schneider-electric | 2 Ecostruxure Building Operation Enterprise Server, Ecostruxure Workstation | 2026-04-15 | N/A |
| CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products. | ||||
| CVE-2025-8452 | 2026-04-15 | 4.3 Medium | ||
| By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless, since the calculated default administrator password would no longer be the correct password. | ||||
| CVE-2025-8453 | 1 Schneider-electric | 2 Saitel Dp, Saitel Dr | 2026-04-15 | 6.7 Medium |
| CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation and arbitrary code execution when a privileged engineer user with console access modifies a configuration file used by a root-level daemon to execute custom scripts. | ||||
| CVE-2025-8456 | 1 Kod8 | 1 Kod8 Individual And Sme Website | 2026-04-15 | 7.6 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS.This issue affects Kod8 Individual and SME Website: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8590 | 1 Akce | 1 Skspro | 2026-04-15 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 07012026. | ||||
| CVE-2025-8461 | 1 Seres Software | 1 Syweb | 2026-04-15 | 7.6 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8463 | 2026-04-15 | 5.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing.This issue affects SecHard: before 3.6.2-20250805. | ||||
| CVE-2025-8489 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor, Wordpress | 2026-04-15 | 9.8 Critical |
| The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. | ||||
| CVE-2025-8536 | 1 Studio Fabryka | 1 Dobrycms | 2026-04-15 | N/A |
| A SQL injection vulnerability has been identified in DobryCMS. Improper neutralization of input provided by user into language functionality allows for SQL Injection attacks. This issue affects older branches of this software. | ||||
| CVE-2025-8512 | 1 Tvb | 1 Big Big Shop App | 2026-04-15 | 5.3 Medium |
| A vulnerability, which was classified as problematic, has been found in TVB Big Big Shop App 2.9.0 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component hk.com.tvb.bigbigshop. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8513 | 1 Caixin | 1 News App | 2026-04-15 | 5.3 Medium |
| A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8516 | 1 Kingdee | 1 Cloud-starry-sky | 2026-04-15 | 5.3 Medium |
| A security vulnerability has been detected in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. This issue affects the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3Cloud\BBCMallSite\WEB-INF\lib\Kingdee.K3.O2O.Base.WebApp.jar!\kingdee\k3\o2o\base\webapp\action\FileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The vendor recommends as a short-term measure to "[t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control." The long-term remediation will be: "Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function." | ||||
| CVE-2025-8524 | 2 Boquan, Google | 2 Dotwalle App, Android | 2026-04-15 | 5.3 Medium |
| A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8529 | 1 Favorites-web Project | 1 Favorites-web | 2026-04-15 | 6.3 Medium |
| A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8531 | 3 Mitsubishi, Mitsubishi Electric, Mitsubishielectric | 3 Melsec-q Series, Melsec-q Series, Melsec-q Series | 2026-04-15 | 6.8 Medium |
| Improper Handling of Length Parameter Inconsistency vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series Q03UDVCPU, Q04UDVCPU, Q06UDVCPU, Q13UDVCPU, Q26UDVCPU, Q04UDPVCPU, Q06UDPVCPU, Q13UDPVCPU, and Q26UDPVCPU with the first 5 digits of serial No. "24082" to "27081" allows a remote attacker to cause an integer underflow by sending specially crafted packets to the affected product to stop Ethernet communication and the execution of control programs on the product, when the user authentication function is enabled. The user authentication function is enabled by default only when settings are configured by GX Works2, which complies with the Cybersecurity Law of the People's Republic of China, and is normally disabled. | ||||
| CVE-2025-8532 | 1 Bimser | 1 Eba Document And Workflow Management System | 2026-04-15 | 6.4 Medium |
| Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing.This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166. | ||||
| CVE-2025-8533 | 1 Flexibits | 1 Fantastical | 2026-04-15 | N/A |
| A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16. | ||||
| CVE-2025-8594 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 3.8 Low |
| The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack. | ||||
| CVE-2025-8597 | 2 Apple, Macvim | 2 Macos, Macvim | 2026-04-15 | N/A |
| MacVim's configuration on macOS, specifically the presence of entitlement "com.apple.security.get-task-allow", allows local attackers with unprivileged access (e.g. via a malicious application) to attach a debugger, read or modify the process memory, inject code in the application's context despite being signed with Hardened Runtime and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission. According to Apple documentation, when a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator's credentials. Since there is no prompt when the target process has "get-task-allow" entitlement, the presence of this entitlement was decided to be treated as a vulnerability because it removes one step needed to perform an attack. This issue was fixed in build r181.2 | ||||