Export limit exceeded: 23776 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10541 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2213 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5320 | 1 Vanna-ai | 1 Vanna | 2026-04-03 | 7.3 High |
| A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3207 | 1 Tibco | 1 Bpm Enterprise | 2026-04-03 | 9.8 Critical |
| Configuration issue in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access. | ||||
| CVE-2018-25224 | 2 Kimtore, Pms | 2 Practical Music Search, Pms | 2026-04-03 | 8.4 High |
| PMS 0.42 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious values in the configuration file. Attackers can craft configuration files with oversized input that overflows the stack buffer and execute shell commands via return-oriented programming gadgets. | ||||
| CVE-2026-24068 | 1 Vienna Symphonic Library | 1 Vienna Assistant | 2026-04-03 | 8.8 High |
| The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation. | ||||
| CVE-2026-34731 | 1 Wwbn | 1 Avideo | 2026-04-02 | 7.5 High |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-34732 | 1 Wwbn | 1 Avideo | 2026-04-02 | 5.3 Medium |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches. | ||||
| CVE-2025-24271 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2026-04-02 | 5.4 Medium |
| An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac could send it AirPlay commands without pairing. | ||||
| CVE-2026-20995 | 1 Samsung | 1 Smart Switch | 2026-04-02 | 5.3 Medium |
| Exposure of sensitive functionality to an unauthorized actor in Smart Switch prior to version 3.7.69.15 allows remote attackers to set a specific configuration. | ||||
| CVE-2025-15517 | 1 Tp-link | 19 Archer Nx200, Archer Nx200 Firmware, Archer Nx200 V1.0 and 16 more | 2026-04-02 | 8.1 High |
| A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. | ||||
| CVE-2026-3527 | 2 Ceriumsoft, Drupal | 2 Ajax Dashboard, Ajax Dashboard | 2026-04-02 | 6.5 Medium |
| Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0. | ||||
| CVE-2026-33366 | 1 Buffalo | 93 Fs-m1266, Fs-m1266 Firmware, Fs-s1266 and 90 more | 2026-04-02 | N/A |
| Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication. | ||||
| CVE-2026-34162 | 2 Fastgpt, Labring | 2 Fastgpt, Fastgpt | 2026-04-02 | 10 Critical |
| FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5. | ||||
| CVE-2026-3356 | 1 Anritsu | 4 Remote Spectrum Monitor Ms27100a, Remote Spectrum Monitor Ms27101a, Remote Spectrum Monitor Ms27102a and 1 more | 2026-04-02 | N/A |
| The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error. | ||||
| CVE-2024-52438 | 1 Deco.agency | 1 De.branding | 2026-04-01 | N/A |
| Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue affects de:branding: from n/a through <= 1.0.2. | ||||
| CVE-2024-52437 | 1 Saul Morales Pacheco | 1 Banner System | 2026-04-01 | N/A |
| Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.This issue affects Banner System: from n/a through <= 1.0.0. | ||||
| CVE-2024-50489 | 2 Realty Workstation, Realtyworkstation | 2 Realty Workstation, Realty Workstation | 2026-04-01 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through <= 1.0.45. | ||||
| CVE-2024-50488 | 2 Priyabrata Sarkar, Priyabratasarkar | 2 Token Login, Token Login | 2026-04-01 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login allows Authentication Bypass.This issue affects Token Login: from n/a through <= 1.0.3. | ||||
| CVE-2024-50487 | 1 Maantheme | 1 Maanstore Api | 2026-04-01 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.This issue affects MaanStore API: from n/a through <= 1.0.1. | ||||
| CVE-2024-50486 | 1 Acnoo | 2 Acnoo Flutter Api, Flutter Api | 2026-04-01 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through <= 1.0.5. | ||||
| CVE-2024-50477 | 2 Stacks, Stacksmarket | 2 Stacks Mobile App Builder, Stacks Mobile App Builder | 2026-04-01 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3. | ||||