Export limit exceeded: 345221 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345221 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345221 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0512 | 1 Sap | 1 Supplier Relationship Management | 2026-04-17 | 6.1 Medium |
| Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. | ||||
| CVE-2026-27674 | 1 Sap | 1 Sap Netweaver Application Server Java | 2026-04-17 | 6.1 Medium |
| Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability. | ||||
| CVE-2026-34256 | 1 Sap | 2 Erp, S/4 Hana | 2026-04-17 | 7.1 High |
| Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected. | ||||
| CVE-2026-6231 | 1 Mongodb | 1 C Driver | 2026-04-17 | 4.3 Medium |
| The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1 | ||||
| CVE-2026-24032 | 1 Siemens | 1 Sinec-nms | 2026-04-17 | 7.3 High |
| A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. (ZDI-CAN-27564) | ||||
| CVE-2026-25654 | 1 Siemens | 1 Sinec-nms | 2026-04-17 | 8.8 High |
| A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. | ||||
| CVE-2025-31991 | 1 Hclsoftware | 1 Velocity | 2026-04-17 | 6.8 Medium |
| Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. | ||||
| CVE-2026-27679 | 1 Sap | 1 S/4hana | 2026-04-17 | 6.5 Medium |
| Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted. | ||||
| CVE-2026-27683 | 1 Sap Se | 1 Sap Business Objects Business Intelligence Platform | 2026-04-17 | 4.1 Medium |
| SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability. | ||||
| CVE-2026-34262 | 1 Sap | 2 Hana Cockpit, Hana Database Explorer | 2026-04-17 | 5 Medium |
| Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer | ||||
| CVE-2026-27675 | 1 Sap | 1 Landscape Transformation | 2026-04-17 | 2 Low |
| SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted. | ||||
| CVE-2026-4786 | 1 Python | 1 Cpython | 2026-04-17 | 7.3 High |
| Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. | ||||
| CVE-2026-5086 | 1 Nerdvana | 1 Crypt::secretbuffer | 2026-04-17 | 7.5 High |
| Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password. | ||||
| CVE-2025-52641 | 1 Hcltech | 1 Aion | 2026-04-17 | 2.9 Low |
| HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure. | ||||
| CVE-2026-6384 | 1 Redhat | 1 Enterprise Linux | 2026-04-17 | 7.3 High |
| A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a specially crafted GIF file. This can lead to a denial of service or potentially arbitrary code execution. | ||||
| CVE-2026-23772 | 1 Dell | 1 Storage Manager | 2026-04-17 | 7.3 High |
| Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | ||||
| CVE-2026-1880 | 1 Asus | 1 Driverhub | 2026-04-17 | N/A |
| An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information. | ||||
| CVE-2026-2336 | 1 Microchip | 1 Istax | 2026-04-17 | N/A |
| A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03. | ||||
| CVE-2026-33804 | 1 Fastify | 1 Middie | 2026-04-17 | 7.4 High |
| @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option. | ||||
| CVE-2026-3428 | 1 Asus | 1 Member Center | 2026-04-17 | N/A |
| A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information. | ||||