Export limit exceeded: 363079 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2287 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8039 | 1 Tecno | 1 Com.afmobi.boomplayer | 2026-04-15 | 9.8 Critical |
| Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks. | ||||
| CVE-2024-8256 | 1 Teltonika-networks | 2 Rutos Devices, Tswos | 2026-04-15 | N/A |
| In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API. | ||||
| CVE-2023-32190 | 1 Suse | 1 Opensuse Tumbleweed | 2026-04-15 | 7.8 High |
| mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges. | ||||
| CVE-2020-37080 | 2 Luiswang, Webtareas Project | 2 Webtareas, Webtareas | 2026-04-15 | 9.8 Critical |
| webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an unauthenticated file deletion mechanism. | ||||
| CVE-2020-37078 | 1 I-doit | 1 I-doit | 2026-04-15 | 8.8 High |
| i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | ||||
| CVE-2025-3103 | 2026-04-15 | 7.5 High | ||
| The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4. | ||||
| CVE-2025-30063 | 2026-04-15 | N/A | ||
| The configuration file containing database logins and passwords is readable by any local user. | ||||
| CVE-2025-10541 | 1 Imonitor | 1 Imonitor Eam | 2026-04-15 | 7.8 High |
| iMonitor EAM 9.6394 installs a system service (eamusbsrv64.exe) that runs with NT AUTHORITY\SYSTEM privileges. This service includes an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during startup. Because any local user can create and write to this directory, an attacker can place malicious DLLs or executables in it. Upon service restart, the files are moved to the application’s installation path and executed with SYSTEM privileges, leading to privilege escalation. | ||||
| CVE-2025-24527 | 1 Akamai | 1 Enterprise Application Access | 2026-04-15 | 8 High |
| An issue was discovered in Akamai Enterprise Application Access (EAA) before 2025-01-17. If an admin knows another tenant's 128-bit connector GUID, they can execute debug commands on that connector. | ||||
| CVE-2026-4702 | 1 Mozilla | 2 Firefox, Firefox Esr | 2026-04-14 | 9.8 Critical |
| JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | ||||
| CVE-2026-34450 | 2 Anthropic, Anthropics | 2 Claude Sdk For Python, Anthropic-sdk-python | 2026-04-14 | 4.4 Medium |
| The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0. | ||||
| CVE-2026-34522 | 1 Sillytavern | 1 Sillytavern | 2026-04-14 | 8.1 High |
| SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name. This issue has been patched in version 1.17.0. | ||||
| CVE-2026-35174 | 2 Chyrplite, Xenocrat Project | 2 Chyrp Lite, Chyrp-lite | 2026-04-14 | 9.1 Critical |
| Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01. | ||||
| CVE-2026-23898 | 1 Joomla | 2 Joomla!, Joomla\! | 2026-04-10 | 7.2 High |
| Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. | ||||
| CVE-2025-14979 | 1 Airvpn | 1 Eddie | 2026-04-09 | 7.8 High |
| AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. | ||||
| CVE-2025-9920 | 1 Campcodes | 1 Online Recruitment Management System | 2026-04-09 | 4.7 Medium |
| A security flaw has been discovered in Campcodes Recruitment Management System 1.0. This impacts the function include of the file /admin/index.php. The manipulation of the argument page results in file inclusion. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2026-30282 | 2 Uxgroup, Uxgroupllc | 2 Cast To Tv Screen Mirroring, Cast To Tv | 2026-04-08 | 9 Critical |
| An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure. | ||||
| CVE-2026-33949 | 2 Ssw, Tina | 2 Tinacms\/graphql, Tinacms | 2026-04-08 | 8.1 High |
| Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2. | ||||
| CVE-2024-6467 | 1 Reputeinfosystems | 1 Bookingpress | 2026-04-08 | 8.8 High |
| The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the 'bookingpress_save_lite_wizard_settings_func' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files (either on the local server or from a remote location), allowing the execution of any PHP code in those files or the exposure of sensitive information. | ||||
| CVE-2023-6506 | 1 Wpwhitesecurity | 1 Wp 2fa | 2026-04-08 | 4.3 Medium |
| The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site. | ||||