Export limit exceeded: 355821 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3380 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30040 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint. | ||||
| CVE-2025-30039 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges. | ||||
| CVE-2025-30037 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp. | ||||
| CVE-2025-27371 | 2026-04-15 | 6.9 Medium | ||
| In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR). | ||||
| CVE-2025-9160 | 1 Rockwellautomation | 2 Compactlogix, Compactlogix 5480 | 2026-04-15 | N/A |
| A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution. | ||||
| CVE-2025-27370 | 1 Openid | 1 Openid Connect | 2026-04-15 | 6.9 Medium |
| OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client. | ||||
| CVE-2025-27256 | 2026-04-15 | 8.3 High | ||
| Missing Authentication for Critical Function vulnerability in GE Vernova Enervista UR Setup application allows Authentication Bypass due to a missing SSH server authentication. Since the client connection is not authenticated, an attacker may perform a man-in-the-middle attack on the network. | ||||
| CVE-2024-35295 | 2026-04-15 | 6.1 Medium | ||
| A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to the device's control unit configuration. This could allow an attacker with physical access to the maintenance connection's door port to perform arbitrary configuration changes. | ||||
| CVE-2024-35342 | 2026-04-15 | 4.6 Medium | ||
| Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera. | ||||
| CVE-2025-2567 | 2026-04-15 | 9.8 Critical | ||
| An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. | ||||
| CVE-2024-39364 | 1 Advantech | 1 Adam-5630 | 2026-04-15 | 6.3 Medium |
| Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands. | ||||
| CVE-2025-2407 | 2026-04-15 | N/A | ||
| Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5. | ||||
| CVE-2025-2344 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-41969 | 2026-04-15 | 8.8 High | ||
| A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS. | ||||
| CVE-2021-47891 | 2 Unified Intents, Unifiedremote | 2 Unified Remote, Unified Remote | 2026-04-15 | 9.8 Critical |
| Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | ||||
| CVE-2025-23356 | 1 Nvidia | 1 Isaac Lab | 2026-04-15 | 8.4 High |
| NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | ||||
| CVE-2024-41967 | 1 Wago | 5 Cc100, Edge Controller, Pfc100 and 2 more | 2026-04-15 | 8.1 High |
| A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack. | ||||
| CVE-2024-41968 | 2026-04-15 | 5.4 Medium | ||
| A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS. | ||||
| CVE-2025-1740 | 1 Akinsoft | 1 Myrezzta | 2026-04-15 | 9.8 Critical |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01. | ||||
| CVE-2025-1714 | 2026-04-15 | N/A | ||
| Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to enumerate valid user emails and potentially DOS the server | ||||