Search Results (5682 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-29206 2026-04-15 N/A
An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Access G2 Reader Pro (Version 1.2.172 and earlier) UniFi Access Reader Pro (Version 2.7.238 and earlier) UniFi Access Intercom (Version 1.0.66 and earlier) UniFi Access Intercom Viewer (Version 1.0.5 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Access G2 Reader Pro Version 1.3.37 or later. Update UniFi Access Reader Pro Version 2.8.19 or later. Update UniFi Access Intercom Version 1.1.32 or later. Update UniFi Access Intercom Viewer Version 1.1.6 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.
CVE-2025-57266 1 Thrivex 1 Blog 2026-04-15 9.8 Critical
An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.
CVE-2025-57247 2026-04-15 9.1 Critical
The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base ERC20 contract are declared as public without proper access control modifiers, allowing any user to bypass transfer restrictions and manipulate special address settings. This enables unauthorized users to circumvent cold time transfer restrictions and potentially disrupt dividend distribution mechanisms, leading to privilege escalation and violation of the contract's intended tokenomics.
CVE-2025-55626 1 Reolink 1 Smart 2k+ Video Doorbell 2026-04-15 5.3 Medium
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage.
CVE-2025-54603 1 Claroty 1 Secure Remote Access 2026-04-15 6.5 Medium
An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.
CVE-2022-41324 2026-04-15 6.5 Medium
Northern.tech Mender 3.3.x before 3.3.2 and 3.4.x before 3.4.0 has Incorrect Access Control and allows low-privileged users default read access to some sensitive device information.
CVE-2022-43110 1 Voltronicpower 1 Viewpower 2026-04-15 9.8 Critical
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down.
CVE-2022-45929 1 Northern.tech 1 Mender 2026-04-15 8.8 High
Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user.
CVE-2025-52168 2026-04-15 6.5 Medium
Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system.
CVE-2025-30127 1 Marbella 1 Kr8s Dashcam 2026-04-15 9.8 Critical
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port 7777, and then downloading video via port 7778 and audio via port 7779.
CVE-2025-52166 2026-04-15 6.5 Medium
Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information.
CVE-2025-52101 2026-04-15 9.8 Critical
linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking.
CVE-2024-21828 1 Intel 2 Ethernet Adapter Complete Driver Pack, Ethernet Connections Boot Utility Preboot Images And Efi Drivers 2026-04-15 6.7 Medium
Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-21767 2026-04-15 9.4 Critical
A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.
CVE-2024-21741 1 Gigadevice 1 Gd32e103c8t6 2026-04-15 9.8 Critical
GigaDevice GD32E103C8T6 devices have Incorrect Access Control.
CVE-2024-21740 1 Artery 2 At32f415cbt7, At32f421c8t7 2026-04-15 7.4 High
Artery AT32F415CBT7 and AT32F421C8T7 devices have Incorrect Access Control.
CVE-2023-30582 1 Nodejs 1 Nodejs 2026-04-15 5.3 Medium
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2023-30583 1 Nodejs 1 Nodejs 2026-04-15 7.5 High
fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2023-30587 1 Nodejs 1 Nodejs 2026-04-15 7.5 High
A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-2019 2 Acceleration, Wordpress 2 Wp-db-table-editor, Wordpress 2026-04-15 7.5 High
The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit.