Export limit exceeded: 345785 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11393 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11393 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43192 | 1 Apple | 3 Macos, Sequoia, Sonoma | 2026-04-02 | 9.8 Critical |
| A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. Account-driven User Enrollment may still be possible with Lockdown Mode turned on. | ||||
| CVE-2024-44127 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 5.3 Medium |
| This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication. | ||||
| CVE-2025-24236 | 1 Apple | 1 Macos | 2026-04-02 | 5.5 Medium |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access sensitive user data. | ||||
| CVE-2024-54465 | 1 Apple | 1 Macos | 2026-04-02 | 9.8 Critical |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges. | ||||
| CVE-2025-31258 | 1 Apple | 1 Macos | 2026-04-02 | 6.5 Medium |
| This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.5. An app may be able to break out of its sandbox. | ||||
| CVE-2025-69101 | 2 Amentotech, Wordpress | 2 Workreap, Wordpress | 2026-04-02 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse.This issue affects Workreap Core: from n/a through <= 3.4.1. | ||||
| CVE-2021-26262 | 1 Philips | 4 Mri 1.5t, Mri 1.5t Firmware, Mri 3t and 1 more | 2026-04-02 | 5.5 Medium |
| Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | ||||
| CVE-2026-2343 | 2 Peprodev Ultimate Invoice, Wordpress | 2 Peprodev Ultimate Invoice, Wordpress | 2026-04-02 | 5.3 Medium |
| The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII. | ||||
| CVE-2026-20998 | 1 Samsung | 1 Smart Switch | 2026-04-02 | 9.8 Critical |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication. | ||||
| CVE-2026-21004 | 1 Samsung | 1 Smart Switch | 2026-04-02 | 6.5 Medium |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to trigger a denial of service. | ||||
| CVE-2026-25471 | 2 Themepaste, Wordpress | 2 Admin Safety Guard, Wordpress | 2026-04-02 | N/A |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.6. | ||||
| CVE-2026-4628 | 1 Redhat | 8 Build Keycloak, Build Of Keycloak, Jboss Enterprise Application Platform and 5 more | 2026-04-02 | 4.3 Medium |
| A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. | ||||
| CVE-2026-3531 | 2 Bojanz, Drupal | 2 Openid Connect \/ Oauth Client, Openid | 2026-04-02 | 6.5 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0. | ||||
| CVE-2026-0748 | 2 Drupal, Internationalization Project | 2 Internationalization, Internationalization | 2026-04-02 | 4.3 Medium |
| In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35. | ||||
| CVE-2026-33898 | 2 Linuxcontainers, Lxc | 2 Incus, Incus | 2026-04-02 | 8.8 High |
| Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue. | ||||
| CVE-2026-33726 | 1 Cilium | 1 Cilium | 2026-04-02 | 5.4 Medium |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers. | ||||
| CVE-2026-33735 | 1 Franklioxygen | 1 Mytube | 2026-04-02 | 8.8 High |
| MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue. | ||||
| CVE-2026-33890 | 1 Franklioxygen | 1 Mytube | 2026-04-02 | 9.8 Critical |
| MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue. | ||||
| CVE-2026-32678 | 1 Buffalo | 93 Fs-m1266, Fs-m1266 Firmware, Fs-s1266 and 90 more | 2026-04-02 | N/A |
| Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication. | ||||
| CVE-2026-0558 | 2 Lollms, Parisneo | 2 Lollms, Parisneo/lollms | 2026-04-02 | 9.8 Critical |
| A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies. | ||||