Export limit exceeded: 347877 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (7759 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0628 | 1 Google | 1 Chrome | 2026-04-18 | 8.8 High |
| Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | ||||
| CVE-2026-0676 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 5.3 Medium |
| Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. | ||||
| CVE-2026-0497 | 1 Sap | 1 Business Server Pages Application | 2026-04-18 | 4.3 Medium |
| SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | ||||
| CVE-2026-0503 | 1 Sap | 2 Erp Central Component, S/4hana | 2026-04-18 | 6.4 Medium |
| Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. | ||||
| CVE-2026-0506 | 1 Sap | 6 Abap Platform, Application Server, Netweaver and 3 more | 2026-04-18 | 8.1 High |
| Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | ||||
| CVE-2026-1142 | 1 Phpgurukul | 1 News Portal | 2026-04-18 | 4.3 Medium |
| A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-1169 | 1 Birkir | 1 Prime | 2026-04-18 | 4.3 Medium |
| A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-21971 | 1 Oracle | 2 Peoplesoft Enterprise Scm Purchasing, Peoplesoft Supply Chain Management Purchasing | 2026-04-18 | 5.4 Medium |
| Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | ||||
| CVE-2026-21976 | 1 Oracle | 1 Business Intelligence | 2026-04-18 | 7.1 High |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2026-21980 | 1 Oracle | 1 Life Sciences Central Coding | 2026-04-18 | 6.5 Medium |
| Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | ||||
| CVE-2026-23517 | 1 Fleetdm | 1 Fleet | 2026-04-18 | 8.1 High |
| Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. | ||||
| CVE-2026-23990 | 2 Control-plane, Controlplaneio-fluxcd | 2 Flux Operator, Flux-operator | 2026-04-18 | 5.3 Medium |
| The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | ||||
| CVE-2026-24055 | 1 Langfuse | 1 Langfuse | 2026-04-18 | 5.3 Medium |
| Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | ||||
| CVE-2026-24042 | 1 Appsmith | 1 Appsmith | 2026-04-18 | 9.4 Critical |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | ||||
| CVE-2026-20888 | 1 Gitea | 1 Gitea | 2026-04-18 | 4.3 Medium |
| Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | ||||
| CVE-2026-24625 | 2 Imaginate-solutions, Wordpress | 2 File Uploads Addon For Woocommerce, Wordpress | 2026-04-18 | 5.3 Medium |
| Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | ||||
| CVE-2026-24139 | 1 Franklioxygen | 1 Mytube | 2026-04-18 | 6.5 Medium |
| MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | ||||
| CVE-2026-24421 | 2 Phpmyfaq, Thorsten | 2 Phpmyfaq, Phpmyfaq | 2026-04-18 | 6.5 Medium |
| phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | ||||
| CVE-2026-23683 | 1 Sap | 1 Fiori | 2026-04-18 | 4.3 Medium |
| SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. | ||||
| CVE-2026-1745 | 2 Oretnom23, Sourcecodester | 2 Medical Certificate Generator App, Medical Certificate Generator App | 2026-04-18 | 4.3 Medium |
| A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||