Export limit exceeded: 344400 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344400 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62844 | 2 Qnap, Qnap Systems | 2 Qurouter, Qurouter | 2026-04-14 | 5.5 Medium |
| A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | ||||
| CVE-2026-21643 | 1 Fortinet | 1 Forticlientems | 2026-04-14 | 9.1 Critical |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | ||||
| CVE-2025-62843 | 2 Qnap, Qnap Systems | 2 Qurouter, Qrouter | 2026-04-14 | 6.8 Medium |
| An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later | ||||
| CVE-2025-62846 | 2 Qnap, Qnap Systems | 2 Qurouter, Qurouter | 2026-04-14 | 6.7 Medium |
| An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | ||||
| CVE-2026-40074 | 1 Svelte | 1 Kit | 2026-04-14 | N/A |
| SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1. | ||||
| CVE-2026-40315 | 2026-04-14 | N/A | ||
| PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133. | ||||
| CVE-2026-40287 | 2026-04-14 | 8.4 High | ||
| PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139. | ||||
| CVE-2026-39422 | 2026-04-14 | N/A | ||
| MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0. | ||||
| CVE-2026-36948 | 2026-04-14 | 7.3 High | ||
| Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php. | ||||
| CVE-2026-31049 | 2026-04-14 | N/A | ||
| An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field | ||||
| CVE-2025-8095 | 2026-04-14 | N/A | ||
| The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption. | ||||
| CVE-2025-7389 | 2026-04-14 | N/A | ||
| A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI. The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry. | ||||
| CVE-2025-66447 | 1 Chamilo | 1 Chamilo Lms | 2026-04-14 | 0 Low |
| Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2. | ||||
| CVE-2026-31940 | 1 Chamilo | 1 Chamilo Lms | 2026-04-14 | 7.5 High |
| Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | ||||
| CVE-2026-5908 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low) | ||||
| CVE-2026-5913 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.1 High |
| Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5914 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2026-5915 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.1 High |
| Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5918 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-67478 | 2 Mediawiki, Wikimedia | 2 Checkuser, Checkuser | 2026-04-14 | 8.8 High |
| Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. | ||||