Search Results (10720 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-61481 1 Mikrotik 2 Routeros, Switchos 2026-04-15 10 Critical
An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials.
CVE-2025-34062 2026-04-15 N/A
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.
CVE-2025-11998 1 Hp 1 Card Readers B Model 2026-04-15 N/A
The following HP Card Readers B Models (X3D03B & Y7C05B) are potentially vulnerable to information disclosure, allowing prior user identity to be inherited under certain conditions —e.g., when an NFC device (such as a smartphone/smartwatches) is in proximity during a card swipe event.
CVE-2025-61482 2 Google, Privacyidea 2 Android, Privacyidea 2026-04-15 7.2 High
Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts.
CVE-2025-34059 2026-04-15 N/A
An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVE-2024-34991 2026-04-15 7.5 High
In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control.
CVE-2025-5690 1 Dalibo 1 Postgresql Anonymizer 2026-04-15 6.5 Medium
PostgreSQL Anonymizer v2.0 and v2.1 contain a vulnerability that allows a masked user to bypass the masking rules defined on a table and read the original data using a database cursor or the --insert option of pg_dump. This problem occurs only when dynamic masking is enabled, which is not the default setting. The problem is resolved in version 2.2.1
CVE-2025-26485 2026-04-15 5.8 Medium
A vulnerability in Beta80 Life 1st enables the retrieval of different error messages for failed authentication attempts (in case of the usage of a wrong password or a non existent user). The difference in the returned error messages could be used by attackers to understand whether a certain user is registered in the Identity Manager. This issue affects Life 1st: 1.5.2.14234.
CVE-2024-38742 2026-04-15 5.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in MBE Worldwide S.P.A. MBE eShip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MBE eShip: from n/a through 2.1.2.
CVE-2024-38756 1 Weblizar 1 Responsive Coming Soon \& Maintenance Mode 2026-04-15 5.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Weblizar Coming Soon allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming Soon: from n/a through 1.6.3.
CVE-2025-34051 2026-04-15 N/A
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
CVE-2024-8969 2026-04-15 6.5 Medium
OMFLOW from The SYSCOM Group has a vulnerability involving the exposure of sensitive data. This allows remote attackers who have logged into the system to obtain password hashes of all users and administrators.
CVE-2025-47417 2026-04-15 N/A
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse. When Enable Debug Images in Crestron Automate VX is active, snapshots of the captured video or portions thereof are stored locally on the system, and there is no visible indication that this is being done. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
CVE-2024-34754 2026-04-15 5.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Contact Form Widget.This issue affects Contact Form Widget: from n/a through 1.3.9.
CVE-2023-50872 1 Accredible Credential.net 1 Accredible Credential.net 2026-04-15 7.5 High
The API in Accredible Credential.net December 6th, 2023 allows an Insecure Direct Object Reference attack that discloses partial information about certificates and their respective holder. NOTE: the excellium-services.com web page about this issue mentions "Vendor says that it's not a security issue."
CVE-2024-7128 1 Redhat 1 Openshift 2026-04-15 5.3 Medium
A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.
CVE-2024-11265 2026-04-15 4.3 Medium
The Increase Maximum Upload File Size | Increase Execution Time plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.3. This is due to returning image upload error messages with full path information. This makes it possible for authenticated attackers, with author-level permissions and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
CVE-2024-22435 2026-04-15 8.3 High
A potential security vulnerability has been identified in Web ViewPoint Enterprise software. This vulnerability could be exploited to allow unauthorized users to access some resources on a NonStop system.
CVE-2024-47824 1 Matrix-react-sdk Project 1 Matrix-react-sdk 2026-04-15 N/A
matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available.
CVE-2024-31207 1 Vitejs 1 Vite 2026-04-15 5.9 Medium
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.