Search Results (12238 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1974 1 Kubernetes 1 Ingress-nginx 2026-04-15 9.8 Critical
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVE-2025-20004 2026-04-15 7.2 High
Insufficient control flow management in the Alias Checking Trusted Module for some Intel(R) Xeon(R) 6 processor E-Cores firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-42350 2026-04-15 3 Low
Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 1. the public key of the previous block (used in the signature), 2. the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Tokens with third-party blocks containing `trusted` annotations generated through a third party block request. This has been addressed in version 4 of the specification. Users are advised to update their implementations to conform. There are no known workarounds for this vulnerability.
CVE-2025-20012 1 Redhat 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more 2026-04-15 4.9 Medium
Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
CVE-2025-20022 2026-04-15 5.7 Medium
Insufficient control flow management for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow a privileged user to potentially enable information disclosure via adjacent access.
CVE-2025-20047 2026-04-15 5.7 Medium
Improper locking in the Intel(R) Integrated Connectivity I/O interface (CNVi) for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
CVE-2025-2068 2026-04-15 5 Medium
An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user.
CVE-2025-2070 2026-04-15 5 Medium
An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user.
CVE-2025-46748 2026-04-15 2.7 Low
An authenticated user attempting to change their password could do so without using the current password.
CVE-2024-47582 2026-04-15 5.3 Medium
Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.
CVE-2025-32942 1 Ssh 1 Tectia Server 2026-04-15 7.2 High
SSH Tectia Server before 6.6.6 sometimes allows attackers to read and alter a user's session traffic.
CVE-2023-53822 1 Linux 1 Linux Kernel 2026-04-15 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp. When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk in ath11k_dp_rx_h_sort_frags, skb null leads to exception. To address this, before processing received fragments we check dp_setup_done flag is set to ensure that peer has completed its dp peer setup for fragment queue, else ignore processing the fragments. Call trace: ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] ath11k_dp_service_srng+0x70/0x370 [ath11k] 0xffffffc009693a04 __napi_poll+0x30/0xa4 net_rx_action+0x118/0x270 __do_softirq+0x10c/0x244 irq_exit+0x64/0xb4 __handle_domain_irq+0x88/0xac gic_handle_irq+0x74/0xbc el1_irq+0xf0/0x1c0 arch_cpu_idle+0x10/0x18 do_idle+0x104/0x248 cpu_startup_entry+0x20/0x64 rest_init+0xd0/0xdc arch_call_rest_init+0xc/0x14 start_kernel+0x480/0x4b8 Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
CVE-2024-12309 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts.
CVE-2024-33883 2026-04-15 4 Medium
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
CVE-2024-32008 1 Siemens 1 Spectrum Power 4 2026-04-15 7.8 High
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user.
CVE-2025-30193 1 Powerdns 1 Dnsdist 2026-04-15 7.5 High
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention.
CVE-2025-12868 1 Cybertutor 1 New Site Server 2026-04-15 9.8 Critical
New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website.
CVE-2024-43704 1 Imaginationtech 1 Ddk 2026-04-15 8.4 High
Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.
CVE-2024-44331 1 Gstreamer Project 1 Gst-rtsp-server 2026-04-15 7.5 High
Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests.
CVE-2025-2875 2026-04-15 7.5 High
CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to access resources.