Export limit exceeded: 344240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344240 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34443 | 2 Freescout, Freescout Helpdesk | 2 Freescout, Freescout | 2026-04-13 | 5.3 Medium |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR ranges. The entire 10.0.0.0/8 and 172.16.0.0/12 private ranges are unprotected. This issue has been patched in version 1.8.211. | ||||
| CVE-2019-25711 | 1 Nsauditor | 1 Spotftp Password Recover | 2026-04-13 | 6.2 Medium |
| SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code. | ||||
| CVE-2026-34450 | 2 Anthropic, Anthropics | 2 Claude Sdk For Python, Anthropic-sdk-python | 2026-04-13 | 4.4 Medium |
| The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0. | ||||
| CVE-2026-39586 | 2 Ateeq Rafeeq, Wordpress | 2 Repairbuddy, Wordpress | 2026-04-13 | N/A |
| Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132. | ||||
| CVE-2025-15441 | 2 10web, Wordpress | 2 Form Maker, Wordpress | 2026-04-13 | N/A |
| The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. | ||||
| CVE-2026-6154 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-13 | 9.8 Critical |
| A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-34867 | 1 Huawei | 1 Harmonyos | 2026-04-13 | 5.6 Medium |
| Double free vulnerability in the multi-mode input system. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2025-50228 | 1 Cherry-toto | 1 Jizhicms | 2026-04-13 | N/A |
| Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | ||||
| CVE-2025-45806 | 1 Rrweb-io | 1 Rrweb | 2026-04-13 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2025-70364 | 1 Kiamo | 1 Kiamo | 2026-04-13 | N/A |
| An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. | ||||
| CVE-2025-70810 | 1 Ariefibis | 1 Phpbb3 | 2026-04-13 | N/A |
| Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | ||||
| CVE-2026-30479 | 1 Mapserver | 1 Mapserver | 2026-04-13 | N/A |
| A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. | ||||
| CVE-2025-70811 | 1 Ariefibis | 1 Phpbb3 | 2026-04-13 | N/A |
| Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | ||||
| CVE-2026-1101 | 1 Gitlab | 1 Gitlab | 2026-04-13 | 6.5 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries. | ||||
| CVE-2026-4112 | 1 Sonicwall | 1 Sma1000 | 2026-04-13 | N/A |
| Improper neutralization of special elements used in an SQL command (“SQL Injection”) in SonicWall SMA1000 series appliances allows a remote authenticated attacker with read-only administrator privileges to escalate privileges to primary administrator. | ||||
| CVE-2026-5438 | 1 Orthanc | 1 Dicom Server | 2026-04-13 | N/A |
| A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory. | ||||
| CVE-2026-40025 | 1 Sleuthkit | 1 The Sleuth Kit | 2026-04-13 | 4.4 Medium |
| The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes. | ||||
| CVE-2026-40027 | 1 Abrignoni | 1 Aleapp | 2026-04-13 | 7.3 High |
| ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration. | ||||
| CVE-2026-40037 | 1 Openclaw | 1 Openclaw | 2026-04-13 | 6.5 Medium |
| OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. | ||||
| CVE-2026-5914 | 1 Google | 1 Chrome | 2026-04-13 | 8.8 High |
| Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low) | ||||