Export limit exceeded: 12843 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12843 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-1308 1 Datafeedr 1 Woocommerce Cloak Affiliate Links 2026-04-15 7.5 High
The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to modify the affiliate permalink base, driving traffic to malicious sites via the plugin's affiliate links.
CVE-2024-13182 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.
CVE-2022-37410 2026-04-15 7 High
Improper access control for some Intel(R) Thunderbolt driver software before version 89 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-37233 2026-04-15 4.3 Medium
Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4.
CVE-2024-1726 1 Redhat 1 Quarkus 2026-04-15 5.3 Medium
A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.
CVE-2024-1678 2 Dunhakdis, Wordpress 2 Subway-private Site Option, Wordpress 2026-04-15 5.3 Medium
The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post content.
CVE-2024-1609 2026-04-15 N/A
In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation.
CVE-2024-37897 2026-04-15 5.4 Medium
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
CVE-2023-20587 2026-04-15 7.1 High
Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.
CVE-2024-38351 2026-04-15 5.4 Medium
Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register with the targeted user's email (it is unverified), 2. at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_), 3. on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them, 4. because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password. To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the OAuth2 auth call). Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. The flow will be further improved with ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future). For the time being users are advised to update to version 0.22.14. There are no known workarounds for this vulnerability.
CVE-2024-31967 1 Mitel 3 6800 Series Sip Phones, 6900 Series Sip Phones, 6970 Conference Unit 2026-04-15 9.1 Critical
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration.
CVE-2024-31964 1 Mitel 3 6800 Series Sip Phones, 6900w Series Sip Phone, 6970 Conference Unit 2026-04-15 7.5 High
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication control. A successful exploit could allow an attacker to modify system configuration settings and potentially cause a denial of service.
CVE-2024-29077 1 Intel 1 Jam Stapl Player Software 2026-04-15 6.7 Medium
Improper access control in some JAM STAPL Player software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-29080 2026-04-15 6.5 Medium
Potential vulnerabilities have been identified in the HP Display Control software component within the HP Application Enabling Software Driver which might allow escalation of privilege.
CVE-2024-29085 2026-04-15 5.5 Medium
Improper access control for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2024-34463 1 Bpl 1 Pws-01-bt 2026-04-15 5.1 Medium
BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.)
CVE-2025-46572 1 Auth0 1 Passport-wsfed-saml2 2026-04-15 N/A
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
CVE-2024-50945 2026-04-15 7.5 High
An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.
CVE-2024-7350 1 Reputeinfosystems 1 Appointment Booking Calendar Plugin And Scheduling Plugin Bookingpress 2026-04-15 9.8 Critical
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.
CVE-2024-7395 1 Korenix 1 Jetport 5601 2026-04-15 N/A
An authentication bypass vulnerability in Korenix JetPort 5601v3 allows an attacker to access functionality on the device without specifying a password.This issue affects JetPort 5601v3: through 1.2.