Export limit exceeded: 341190 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341190 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70887 | 1 Ralphje | 1 Signify | 2026-03-30 | 8.8 High |
| An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components | ||||
| CVE-2026-4231 | 1 Vanna-ai | 1 Vanna | 2026-03-30 | 7.3 High |
| A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3110 | 1 Educativa | 1 Campus | 2026-03-30 | N/A |
| Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa specifically at the endpoint '/administracion/admin_usuarios.cgi?filtro_estado=T&wAccion=listado_xlsx&wBuscar=&wFiltrar=&wOrden=alta_usuario&wid_cursoActual=[ID]' where the data of users enrolled in the course is exported. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access user data (e.g., usernames, first and last names, email addresses, and phone numbers) and retrieve the data of all users enrolled in courses by performing a brute-force attack on the course ID via a manipulated URL. | ||||
| CVE-2026-3111 | 1 Educativa | 1 Campus | 2026-03-30 | N/A |
| Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' (translated as 80x90 and 40x45). Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of all users via a manipulated URL, enabling them to collect user photos en masse. This could lead to these photos being used maliciously to impersonate identities, perform social engineering, link identities across platforms using facial recognition, or even carry out doxxing. | ||||
| CVE-2026-3020 | 1 Wakyma | 1 Wakyma Application Web | 2026-03-30 | N/A |
| Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts | ||||
| CVE-2026-4234 | 1 Sscms | 1 Sscms | 2026-03-30 | 6.3 Medium |
| A security flaw has been discovered in SSCMS 7.4.0. This vulnerability affects unknown code of the file SitesAddController.Submit.cs of the component DDL Handler. The manipulation of the argument tableHandWrite results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15552 | 1 Truesec | 1 Lapswebui | 2026-03-30 | N/A |
| Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password. | ||||
| CVE-2025-15553 | 1 Truesec | 1 Lapswebui | 2026-03-30 | N/A |
| Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password. | ||||
| CVE-2025-15554 | 1 Truesec | 1 Lapswebui | 2026-03-30 | N/A |
| Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords. | ||||
| CVE-2026-2456 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2026-03-30 | 5.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571 | ||||
| CVE-2026-2476 | 1 Mattermost | 1 Ms Teams | 2026-03-30 | 7.6 High |
| Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606 | ||||
| CVE-2026-2463 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565 | ||||
| CVE-2026-2461 | 1 Mattermost | 1 Mattermost Server | 2026-03-30 | 4.3 Medium |
| Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559 | ||||
| CVE-2026-2457 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569 | ||||
| CVE-2026-2458 | 1 Mattermost | 2 Mattermost Server, Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568 | ||||
| CVE-2026-26246 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572 | ||||
| CVE-2025-15540 | 1 Raytha | 1 Raytha | 2026-03-30 | 8.8 High |
| "Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment. This issue was fixed in version 1.4.6. | ||||
| CVE-2025-69236 | 1 Raytha | 1 Raytha | 2026-03-30 | 5.4 Medium |
| Raytha CMS is vulnerable to Stored XSS via FieldValues[1].Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6. | ||||
| CVE-2025-69237 | 1 Raytha | 1 Raytha | 2026-03-30 | 5.4 Medium |
| Raytha CMS is vulnerable to Stored XSS via FieldValues[0].Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6. | ||||
| CVE-2025-69238 | 1 Raytha | 1 Raytha | 2026-03-30 | 4.3 Medium |
| Raytha CMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. Attacker can craft special website, which when visited by the authenticated victim, will automatically send POST request to the endpoint (e. x. deletion of the data) without enforcing token verification. This issue was fixed in version 1.4.6. | ||||