Export limit exceeded: 364840 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (5680 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12884 | 2 Monetizemore, Wordpress | 2 Advanced Ads – ad Manager & Adsense, Wordpress | 2026-04-21 | 4.3 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves. | ||||
| CVE-2025-11711 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-20 | 6.5 Medium |
| There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. | ||||
| CVE-2025-11716 | 2 Google, Mozilla | 3 Android, Firefox, Thunderbird | 2026-04-20 | 6.5 Medium |
| Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144. | ||||
| CVE-2026-35402 | 1 Neo4j-contrib | 1 Mcp-neo4j | 2026-04-20 | N/A |
| mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0. | ||||
| CVE-2025-1941 | 1 Mozilla | 1 Firefox | 2026-04-20 | 9.1 Critical |
| Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136. | ||||
| CVE-2025-14329 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-20 | 8.8 High |
| Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | ||||
| CVE-2025-62474 | 1 Microsoft | 22 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 19 more | 2026-04-20 | 7.8 High |
| Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59517 | 1 Microsoft | 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more | 2026-04-20 | 7.8 High |
| Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-62570 | 1 Microsoft | 5 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 2 more | 2026-04-20 | 7.1 High |
| Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-64673 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-04-20 | 7.8 High |
| Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-64669 | 1 Microsoft | 1 Windows Admin Center | 2026-04-20 | 7.8 High |
| Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-14082 | 1 Redhat | 1 Build Keycloak | 2026-04-20 | 2.7 Low |
| A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | ||||
| CVE-2026-2054 | 2 D-link, Dlink | 6 Dir-605l, Dir-619l, Dir-605l and 3 more | 2026-04-18 | 5.3 Medium |
| A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-21447 | 1 Webkul | 1 Bagisto | 2026-04-18 | 7.1 High |
| Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | ||||
| CVE-2026-0577 | 2 Code-projects, Fabian | 2 Online Product Reservation System, Online Product Reservation System | 2026-04-18 | 6.3 Medium |
| A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-20970 | 1 Samsung | 3 Android, Mobile, Mobile Devices | 2026-04-18 | 7.8 High |
| Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs. | ||||
| CVE-2026-22033 | 1 Humansignal | 1 Label Studio | 2026-04-18 | 5.4 Medium |
| Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access. | ||||
| CVE-2026-1181 | 1 Altium | 1 Altium 365 | 2026-04-18 | 9 Critical |
| Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | ||||
| CVE-2026-21927 | 1 Oracle | 1 Solaris | 2026-04-18 | 5.8 Medium |
| Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | ||||
| CVE-2026-20750 | 1 Gitea | 1 Gitea | 2026-04-18 | 9.1 Critical |
| Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | ||||