Export limit exceeded: 355105 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2336 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5300 | 1 Coolercontrol | 1 Coolercontrold | 2026-04-16 | 5.9 Medium |
| Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests | ||||
| CVE-2004-0213 | 1 Microsoft | 1 Windows 2000 | 2026-04-16 | 7.8 High |
| Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. | ||||
| CVE-2002-1810 | 1 Dlink | 2 Dwl-900ap\+, Dwl-900ap\+ Firmware | 2026-04-16 | 7.5 High |
| D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to access the TFTP server without authentication and read the config.img file, which contains sensitive information such as the administrative password, the WEP encryption keys, and network configuration information. | ||||
| CVE-2026-39393 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-04-16 | 8.1 High |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0. | ||||
| CVE-2026-27028 | 1 Mobility46 | 1 Mobility46.se | 2026-04-16 | 9.4 Critical |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | ||||
| CVE-2026-22207 | 1 Volcengine | 1 Openviking | 2026-04-15 | 9.8 Critical |
| OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration. | ||||
| CVE-2026-0942 | 3 Linknacional, Woocommerce, Wordpress | 3 Rede Itau For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | ||||
| CVE-2026-26125 | 1 Microsoft | 1 Payment Orchestrator Service | 2026-04-15 | 8.6 High |
| Payment Orchestrator Service Elevation of Privilege Vulnerability | ||||
| CVE-2026-35450 | 1 Wwbn | 1 Avideo | 2026-04-15 | 5.3 Medium |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin(). | ||||
| CVE-2026-1900 | 2 Linkwhisper, Wordpress | 3 Link Whisper, Link Whisper Free, Wordpress | 2026-04-15 | 6.5 Medium |
| The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | ||||
| CVE-2026-4640 | 2 Galaxy Software Services Corporation, Gss | 2 Vitals Esp, Vitalsesp | 2026-04-15 | 7.5 High |
| Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information. | ||||
| CVE-2019-25483 | 1 Comtrend | 1 Ar-5310 | 2026-04-15 | 8.4 High |
| Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $( ). Attackers can inject arbitrary commands through the $( ) syntax when passed as arguments to allowed commands like ping to execute unrestricted shell access. | ||||
| CVE-2017-20220 | 1 Serviio | 1 Serviio Pro | 2026-04-15 | 7.5 High |
| Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication. | ||||
| CVE-2017-20217 | 1 Serviio | 1 Serviio Pro | 2026-04-15 | 7.5 High |
| Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication. | ||||
| CVE-2025-69425 | 2026-04-15 | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | ||||
| CVE-2025-66555 | 2 Airkeyboardapp, Apple | 2 Airkeyboard Ios App, Ios | 2026-04-15 | N/A |
| AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control. | ||||
| CVE-2025-9214 | 1 Lenovo | 1 Printer | 2026-04-15 | 5.4 Medium |
| A missing authentication vulnerability was reported in some Lenovo printers that could allow a user to view limited device information or modify network settings via the CUPS service. | ||||
| CVE-2020-12492 | 2026-04-15 | N/A | ||
| Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information. | ||||
| CVE-2023-6215 | 1 Hp | 2 Hp, Sure Start Ifd Protection | 2026-04-15 | N/A |
| A potential security vulnerability has been identified in HP Sure Start’s protection of the Intel Flash Descriptor in certain HP PC products, which might allow security bypass, arbitrary code execution, loss of integrity or confidentiality, or denial of service. HP is releasing BIOS updates to mitigate the potential vulnerability. | ||||
| CVE-2025-32978 | 1 Quest | 1 Kace Systems Management Appliance | 2026-04-15 | 7.5 High |
| Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service. | ||||