Export limit exceeded: 11480 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11480 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0407 | 1 Netgear | 8 Ex2800, Ex2800 Firmware, Ex3110 and 5 more | 2026-02-26 | 8.0 High |
| An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | ||||
| CVE-2025-62349 | 1 Salt Project | 1 Salt | 2026-02-26 | 6.2 Medium |
| Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. | ||||
| CVE-2025-67848 | 1 Moodle | 1 Moodle | 2026-02-26 | 8.1 High |
| A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. | ||||
| CVE-2024-1709 | 1 Connectwise | 1 Screenconnect | 2026-02-26 | 10 Critical |
| ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | ||||
| CVE-2025-64175 | 1 Gogs | 1 Gogs | 2026-02-26 | 8.8 High |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||||
| CVE-2025-61973 | 1 Epic Games | 1 Epic Games Store | 2026-02-26 | 8.8 High |
| A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | ||||
| CVE-2023-24489 | 1 Citrix | 1 Sharefile Storage Zones Controller | 2026-02-26 | 9.8 Critical |
| A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. | ||||
| CVE-2026-0629 | 1 Tp-link | 31 Vigi C230i Mini, Vigi C240, Vigi C250 and 28 more | 2026-02-26 | N/A |
| Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | ||||
| CVE-2025-55130 | 1 Nodejs | 2 Node.js, Nodejs | 2026-02-26 | 9.1 Critical |
| A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | ||||
| CVE-2026-21960 | 1 Oracle | 1 Applications Dba | 2026-02-26 | 6.5 Medium |
| Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2023-23752 | 1 Joomla | 1 Joomla\! | 2026-02-26 | 5.3 Medium |
| An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | ||||
| CVE-2025-15582 | 1 Detronetdip | 1 E-commerce | 2026-02-26 | 5.4 Medium |
| A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2024-47183 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-02-25 | 8.1 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0. | ||||
| CVE-2023-33071 | 1 Qualcomm | 26 Qca6574, Qca6574 Firmware, Qca6574a and 23 more | 2026-02-25 | 8.4 High |
| Memory corruption in Automotive OS whenever untrusted apps try to access HAb for graphics functionalities. | ||||
| CVE-2023-50706 | 1 Efacec | 2 Uc 500e, Uc 500e Firmware | 2026-02-25 | 4.1 Medium |
| A user without administrator permissions with access to the UC500 windows system could perform a memory dump of the running processes and extract clear credentials or valid session tokens. | ||||
| CVE-2025-69284 | 2 Makeplane, Plane | 2 Plane, Plane | 2026-02-25 | 4.3 Medium |
| Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue. | ||||
| CVE-2022-23795 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 9.8 Critical |
| An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover. | ||||
| CVE-2025-65097 | 2 Romm.app, Rommapp | 2 Romm, Romm | 2026-02-24 | 6.5 Medium |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2025-65096 | 2 Romm.app, Rommapp | 2 Romm, Romm | 2026-02-24 | 4.3 Medium |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2025-11853 | 1 Sismics | 1 Teedy | 2026-02-24 | 6.3 Medium |
| A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||