Export limit exceeded: 346128 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346128 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-54751 | 2026-04-15 | 9.8 Critical | ||
| COMFAST CF-WR630AX v2.7.0.2 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. | ||||
| CVE-2024-54767 | 2026-04-15 | 7.5 High | ||
| An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Supplier because it cannot be reproduced, and the issue report focuses on an unintended configuration with direct Internet exposure. | ||||
| CVE-2025-11256 | 2 Kognetiks, Wordpress | 2 Chatbot, Wordpress | 2026-04-15 | 5.3 Medium |
| The Kognetiks Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to upload limited safe files and erase conversations. | ||||
| CVE-2024-54820 | 2026-04-15 | 9.8 Critical | ||
| XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords via a crafted input. | ||||
| CVE-2025-29069 | 2026-04-15 | 7.3 High | ||
| A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations. NOTE: this is disputed by the Supplier because the finding identified a bug in a third-party calling program, not in lcms. | ||||
| CVE-2025-30058 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| In the PatientService.pl service, the "getPatientIdentifier" function is vulnerable to SQL injection through the "pesel" parameter. | ||||
| CVE-2024-54909 | 2026-04-15 | 8.1 High | ||
| A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download. | ||||
| CVE-2024-54910 | 2026-04-15 | 4.7 Medium | ||
| Hasleo Backup Suite Free v4.9.4 and before is vulnerable to Insecure Permissions via the File recovery function. | ||||
| CVE-2024-54982 | 2026-04-15 | N/A | ||
| An issue in Quectel BC25 with firmware version BC25PAR01A06 allows attackers to bypass authentication via a crafted NAS message. NOTE: Quectel disputes this because the issue is in the chipset supply chain and is not localized to one or more Quectel products. | ||||
| CVE-2024-54983 | 2026-04-15 | 9.8 Critical | ||
| An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message. | ||||
| CVE-2024-54984 | 2026-04-15 | 9.8 Critical | ||
| An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier. | ||||
| CVE-2025-30059 | 1 Cgm | 1 Cgm Clininet | 2026-04-15 | N/A |
| In the PrepareCDExportJSON.pl service, the "getPerfServiceIds" function is vulnerable to SQL injection. | ||||
| CVE-2024-55082 | 2026-04-15 | 7.5 High | ||
| A Server-Side Request Forgery (SSRF) in the endpoint http://{your-server}/url-to-pdf of Stirling-PDF 0.35.1 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2024-5514 | 1 Minmax | 1 Minmax | 2026-04-15 | 9.8 Critical |
| MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs. | ||||
| CVE-2024-55159 | 2026-04-15 | 4.2 Medium | ||
| GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the SortName parameter at /system/loginLog/list. | ||||
| CVE-2024-55186 | 2026-04-15 | 4.3 Medium | ||
| An IDOR (Insecure Direct Object Reference) vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users. | ||||
| CVE-2024-55196 | 2026-04-15 | 7.5 High | ||
| Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | ||||
| CVE-2025-29070 | 2026-04-15 | 7.5 High | ||
| A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation." | ||||
| CVE-2025-29085 | 2026-04-15 | 9.8 Critical | ||
| SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component. | ||||
| CVE-2024-5531 | 2 Oceanwp, Wordpress | 2 Ocean Extra, Wordpress | 2026-04-15 | 6.4 Medium |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flickr widget in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||