Export limit exceeded: 12261 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12838 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12838 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53003 | 2026-04-15 | N/A | ||
| The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d. | ||||
| CVE-2024-41929 | 1 Takenaka Engineering | 9 Ahd04t-a Firmware, Ahd08t-a Firmware, Ahd16t-a Firmware and 6 more | 2026-04-15 | 8.8 High |
| Improper authentication vulnerability in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings. | ||||
| CVE-2025-52395 | 2026-04-15 | 9.8 Critical | ||
| An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly | ||||
| CVE-2025-52376 | 2026-04-15 | 9.8 Critical | ||
| An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device. | ||||
| CVE-2025-52338 | 2026-04-15 | 5.3 Medium | ||
| An issue in the default configuration of the password reset function in LogicData eCommerce Framework v5.0.9.7000 allows attackers to bypass authentication and compromise user accounts via a bruteforce attack. | ||||
| CVE-2025-52294 | 2026-04-15 | 5.7 Medium | ||
| Insufficient validation of the screen lock mechanism in Trust Wallet v8.45 allows physically proximate attackers to bypass the lock screen and view the wallet balance. | ||||
| CVE-2025-52168 | 2026-04-15 | 6.5 Medium | ||
| Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system. | ||||
| CVE-2025-52166 | 2026-04-15 | 6.5 Medium | ||
| Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information. | ||||
| CVE-2022-29946 | 1 Nats | 1 Nats Server | 2026-04-15 | 6.3 Medium |
| NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects. | ||||
| CVE-2025-52101 | 2026-04-15 | 9.8 Critical | ||
| linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking. | ||||
| CVE-2024-42559 | 1 Hotel Management System Project | 1 Hotel Management System | 2026-04-15 | 9.8 Critical |
| An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password. | ||||
| CVE-2025-50434 | 2026-04-15 | 5.3 Medium | ||
| A security issue has been identified in Appian Enterprise Business Process Management version 25.3. The vulnerability is related to incorrect access control, which under certain conditions could allow unauthorized access to information. NOTE: this has been disputed because the CVE Record information does not originate from the Supplier, and the report lacks specificity about why a problem exists, how the behavior could be reproduced, and whether any action could be taken to resolve the problem. | ||||
| CVE-2024-4393 | 2 Thenbrent, Wordpress | 2 Social Connect Plugin, Wordpress | 2026-04-15 | 9.8 Critical |
| The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2024-4552 | 1 Phoeniixx | 1 Social Login Lite For Woocommerce | 2026-04-15 | 9.8 Critical |
| The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2025-4962 | 1 Lunary-ai | 1 Lunary | 2026-04-15 | N/A |
| An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23. | ||||
| CVE-2025-49594 | 1 Xwiki | 1 Xwiki | 2026-04-15 | N/A |
| XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access. | ||||
| CVE-2025-49603 | 2026-04-15 | 9.1 Critical | ||
| Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | ||||
| CVE-2023-31279 | 2026-04-15 | 8.1 High | ||
| The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Service on the devices or registered the device. This could enable an attacker to configure, manage, and execute AT commands on an unsuspecting user’s devices. | ||||
| CVE-2024-46627 | 1 Becn | 1 Datagerry | 2026-04-15 | 9.1 Critical |
| Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. | ||||
| CVE-2025-48861 | 1 Bosch | 1 Ctrlx Os | 2026-04-15 | 5.3 Medium |
| A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps. | ||||