Export limit exceeded: 14666 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10044 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357703 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357703 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 25877 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (25877 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45043 | 1 Opentelemetry | 1 Opentelemetry Collector Contrib | 2026-04-15 | 5.3 Medium |
| The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-34897 | 2026-04-15 | 7.5 High | ||
| Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability. | ||||
| CVE-2025-7216 | 1 Lty628 | 1 Aidigu | 2026-04-15 | 7.3 High |
| A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6984 | 1 Langchain-ai | 1 Langchain | 2026-04-15 | N/A |
| The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. | ||||
| CVE-2024-33309 | 1 Tvs Motor Company | 2 Connect, Ios | 2026-04-15 | 7.5 High |
| An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository. | ||||
| CVE-2024-42049 | 1 Tightvnc | 1 Tightvnc | 2026-04-15 | 9.1 Critical |
| TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection. | ||||
| CVE-2024-41335 | 2026-04-15 | 7.5 High | ||
| Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks. | ||||
| CVE-2024-4022 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /version.js of the component Version Data Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-261674 is the identifier assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024. | ||||
| CVE-2024-4021 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /ndmComponents.js of the component Configuration Setting Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261673 was assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024. | ||||
| CVE-2024-43445 | 2026-04-15 | 5.4 Medium | ||
| A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected | ||||
| CVE-2024-39919 | 2026-04-15 | 3.1 Low | ||
| @jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-39811 | 1 Intel | 1 M20ntp Firmware | 2026-04-15 | 6.3 Medium |
| Improper input validation in firmware for some Intel(R) Server M20NTP Family UEFI may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-9381 | 1 Fnkvision | 1 Y215 Cctv Camera | 2026-04-15 | 1.6 Low |
| A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disclosure. The attack may be carried out on the physical device. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-39182 | 1 Ispmanager | 1 Ispmanager | 2026-04-15 | 7.5 High |
| An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command (ISP6-1779). | ||||
| CVE-2024-38828 | 1 Vmware | 1 Spring | 2026-04-15 | 5.3 Medium |
| Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. | ||||
| CVE-2024-38798 | 1 Tianocore | 1 Edk2 | 2026-04-15 | 5.2 Medium |
| EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality. | ||||
| CVE-2024-38372 | 1 Nodejs | 1 Undici | 2026-04-15 | 2 Low |
| Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. | ||||
| CVE-2025-26485 | 2026-04-15 | 5.8 Medium | ||
| A vulnerability in Beta80 Life 1st enables the retrieval of different error messages for failed authentication attempts (in case of the usage of a wrong password or a non existent user). The difference in the returned error messages could be used by attackers to understand whether a certain user is registered in the Identity Manager. This issue affects Life 1st: 1.5.2.14234. | ||||
| CVE-2025-20067 | 1 Intel | 3 Csme, Intel R Csme, Sps | 2026-04-15 | 6 Medium |
| Observable timing discrepancy in firmware for some Intel(R) CSME and Intel(R) SPS may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2023-47210 | 2026-04-15 | 4.7 Medium | ||
| Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | ||||