Export limit exceeded: 26341 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (26341 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-1477 2 Mukeshpanchal, Wordpress 2 Easy Maintenance Mode, Wordpress 2026-04-15 5.3 Medium
The Easy Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2 via the REST API. This makes it possible for authenticated attackers to obtain post and page content via REST API thus bypassign the protection provided by the plugin.
CVE-2023-22662 2026-04-15 5.8 Medium
Improper input validation of EpsdSrMgmtConfig in UEFI firmware for some Intel(R) Server Board S2600BP products may allow a privileged user to potentially enable denial of service via local access.
CVE-2025-11645 2 Google, Tomofun 2 Android, Furbo Mobile App 2026-04-15 2.4 Low
A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-47855 1 Fortinet 2 Fortifone, Fortinet 2026-04-15 9.3 Critical
An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.
CVE-2025-1741 2026-04-15 4.7 Medium
A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Affected by this vulnerability is an unknown functionality of the file src/admin/users.php of the component Admin Page. The manipulation of the argument query/q leads to deserialization. The attack can be launched remotely. Upgrading to version 7.4.1-pl2 is able to address this issue. The identifier of the patch is 4816c8b748f6a5b965c8994e2cf10861bf6e68aa. It is recommended to upgrade the affected component. The vendor acted highly professional and even fixed this issue in the discontinued commercial edition as b1gMail 7.4.0-pl3.
CVE-2025-57837 1 Honor 2 Fcp-an10, Tileservice 2026-04-15 2.9 Low
Tileservice module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-50733 2026-04-15 8.6 High
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Web Services feature of newer Lexmark devices.
CVE-2025-12741 1 Google 1 Cloud Looker 2026-04-15 N/A
A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+
CVE-2025-1098 1 Kubernetes 1 Ingress-nginx 2026-04-15 8.8 High
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVE-2025-32080 2026-04-15 N/A
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.This issue affects Mediawiki - Mobile Frontend Extension: from 1.39 through 1.43.
CVE-2025-49653 2026-04-15 8 High
Exposure of sensitive data in active sessions in Lablup's BackendAI allows attackers to retrieve credentials for users on the management platform.
CVE-2025-64213 2 Stylemixthemes, Wordpress 2 Masterstudy Lms, Wordpress 2026-04-15 7.5 High
Insertion of Sensitive Information Into Sent Data vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16.
CVE-2024-47848 1 Wikimedia 1 Pagetriage 2026-04-15 N/A
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - PageTriage allows Authentication Bypass.This issue affects Mediawiki - PageTriage: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
CVE-2024-38359 1 Lightning Network Daemon Project 1 Lightning Network Daemon 2026-04-15 6.5 Medium
The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation.
CVE-2024-21829 1 Intel 1 Processors 2026-04-15 7.5 High
Improper input validation in UEFI firmware error handler for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-22234 1 Spring 1 Spring 2026-04-15 5.3 Medium
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
CVE-2025-40556 2026-04-15 6.5 Medium
A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a denial of service condition of the targeted device. A power cycle is required to restore the device's normal operation.
CVE-2024-47779 2026-04-15 N/A
Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.
CVE-2024-29291 1 Laravel 1 Framework 2026-04-15 N/A
An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the access control appropriately for the type of data that may be logged.
CVE-2025-31135 2026-04-15 5.3 Medium
Go-Guerrilla SMTP Daemon is a lightweight SMTP server written in Go. Prior to 1.6.7, when ProxyOn is enabled, the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. This vulnerability is fixed in 1.6.7.