Search Results (12843 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-3289 1 Tenable 1 Nessus 2026-04-15 7.8 High
When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
CVE-2024-3291 2026-04-15 7.8 High
When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
CVE-2024-32969 1 Vantage6 1 Vantage6 2026-04-15 2.7 Low
vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know the passwords, and use that to read task results of other collaborations that that organization is involved in. This is only relatively trusted users - with access to manage a collaboration - are able to do this, which reduces the impact. This vulnerability was patched in version 4.5.0rc3.
CVE-2024-32973 2026-04-15 4.8 Medium
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected. This issue has been patched in pull request #851 which has been included in version 0.9.3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
CVE-2024-33898 1 Axiros 1 Axess 2026-04-15 9.8 Critical
Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution.
CVE-2024-6727 2026-04-15 5.4 Medium
A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application.
CVE-2024-35775 1 Wordpress 1 Wordpress 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Authentication vulnerability in Soliloquy Team Slider by Soliloquy allows Cross-Site Scripting (XSS).This issue affects Slider by Soliloquy: from n/a through 2.7.6.
CVE-2024-37019 1 Northern.tech 1 Mender 2026-04-15 9.8 Critical
Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication.
CVE-2024-37742 1 Ethz 1 Safe Exam Browser 2026-04-15 8.2 High
Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By exploiting this flaw, an attacker can bypass exam controls and gain an unfair advantage during exams.
CVE-2024-37893 1 Firefly-iii 1 Firefly Iii 2026-04-15 5.9 Medium
Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager.
CVE-2024-37897 2026-04-15 5.4 Medium
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
CVE-2024-38394 2026-04-15 4.3 Medium
Mismatches in interpreting USB authorization policy between GNOME Settings Daemon (GSD) through 46.0 and the Linux kernel's underlying device matching logic allow a physically proximate attacker to access some unintended Linux kernel USB functionality, such as USB device-specific kernel modules and filesystem implementations. NOTE: the GSD supplier indicates that consideration of a mitigation for this within GSD would be in the context of "a new feature, not a CVE."
CVE-2024-38518 1 Bigbluebutton 1 Bigbluebutton 2026-04-15 4.6 Medium
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
CVE-2024-38523 2026-04-15 7.5 High
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.
CVE-2024-39285 2026-04-15 5.3 Medium
Improper access control in UEFI firmware in some Intel(R) Server M20NTP Family may allow a privileged user to potentially enable information disclosure via local access.
CVE-2024-39309 1 Parse Community 1 Parse Server 2026-04-15 9.8 Critical
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
CVE-2024-39340 1 Securepoint 1 Unified Threat Management 2026-04-15 8.8 High
The authentication system of Securepoint UTM mishandles OTP keys. This allows the bypassing of second-factor verification (when OTP is enabled) in both the administration web interface and the user portal. Affected versions include UTM 11.5 through 12.6.4 and Reseller Preview 12.7.0. The issue has been fixed in UTM 12.6.5 and 12.7.1.
CVE-2024-39934 1 Robotmk 1 Robotmk 2026-04-15 7.8 High
Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment.
CVE-2024-40117 1 Solar-log 1 Solar-log 1000 Firmware 2026-04-15 9.8 Critical
Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. Not existing for SL 200, 500, 1000 / fixed in 4.2.8 for SL 250, 300, 1200, 2000, SL 50 Gateway / fixed in 5.1.2 / 6.0.0 for SL Base.
CVE-2024-41798 1 Siemens 1 Sentron Pac3200 2026-04-15 9.8 Critical
A vulnerability has been identified in SENTRON 7KM PAC3200 (All versions). Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus TCP interface. Attackers with access to the Modbus TCP interface could easily bypass this protection by brute-force attacks or by sniffing the Modbus clear text communication.