Export limit exceeded: 16384 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11734 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40874 | 1 Mailcow | 1 Mailcow Dockerized | 2026-04-22 | N/A |
| mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability. | ||||
| CVE-2025-43404 | 1 Apple | 2 Macos, Macos Tahoe | 2026-04-22 | 3.3 Low |
| A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | ||||
| CVE-2025-43527 | 1 Apple | 1 Macos | 2026-04-22 | 7.8 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26.2. An app may be able to gain root privileges. | ||||
| CVE-2025-43416 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-22 | 9.8 Critical |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data. | ||||
| CVE-2025-43518 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-22 | 3.3 Low |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, watchOS 26.2. An app may be able to inappropriately access files through the spellcheck API. | ||||
| CVE-2025-46282 | 1 Apple | 3 Macos, Macos Tahoe, Safari | 2026-04-22 | 5.5 Medium |
| The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data. | ||||
| CVE-2025-46292 | 1 Apple | 3 Ios, Ipados, Iphone Os | 2026-04-22 | 5.5 Medium |
| This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access user-sensitive data. | ||||
| CVE-2025-46288 | 1 Apple | 9 Ios, Ipad Os, Ipados and 6 more | 2026-04-22 | 5.5 Medium |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. An app may be able to access sensitive payment tokens. | ||||
| CVE-2026-40946 | 1 Oxia-db | 1 Oxia | 2026-04-22 | N/A |
| Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2. | ||||
| CVE-2026-3461 | 2 Visaacceptancesolutions, Wordpress | 2 Visa Acceptance Solutions, Wordpress | 2026-04-22 | 9.8 Critical |
| The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise. | ||||
| CVE-2026-6201 | 1 Codeastro | 1 Online Job Portal | 2026-04-22 | 5.4 Medium |
| A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-6582 | 2 Superagi, Transformeroptimus | 2 Superagi, Superagi | 2026-04-22 | 7.3 High |
| A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6614 | 1 Superagi | 1 Superagi | 2026-04-22 | 6.3 Medium |
| A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6579 | 1 Liangliangyy | 1 Djangoblog | 2026-04-22 | 6.5 Medium |
| A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6609 | 1 Liangliangyy | 1 Djangoblog | 2026-04-22 | 6.3 Medium |
| A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6569 | 1 Kodcloud | 1 Kodexplorer | 2026-04-22 | 7.3 High |
| A vulnerability was identified in kodcloud KodExplorer up to 4.52. This impacts the function fileGet of the file /app/controller/share.class.php of the component fileGet Endpoint. Such manipulation of the argument fileUrl leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6650 | 1 Zblogcn | 1 Z-blogphp | 2026-04-22 | 4.7 Medium |
| A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6596 | 1 Langflow | 1 Langflow | 2026-04-22 | 7.3 High |
| A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6588 | 1 Serge-chat | 1 Serge | 2026-04-22 | 6.5 Medium |
| A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-6586 | 2 Superagi, Transformeroptimus | 2 Superagi, Superagi | 2026-04-22 | 6.3 Medium |
| A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||