Search Results (362867 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-9902 1 Redhat 6 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 3 more 2026-04-15 6.3 Medium
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
CVE-2025-10495 1 Lenovo 5 App Store, Browser, Legion Zone and 2 more 2026-04-15 7.5 High
A potential vulnerability was reported in the Lenovo PC Manager, Lenovo App Store, Lenovo Browser, and Lenovo Legion Zone client applications that, under certain conditions, could allow an attacker on the same logical network to execute arbitrary code.
CVE-2025-1073 2026-04-15 7.5 High
Panasonic IR Control Hub (IR Blaster) versions 1.17 and earlier may allow an attacker with physical access to load unauthorized firmware onto the device.
CVE-2025-10971 3 Apple, Fermax, Google 3 Ios, Meetme, Android 2026-04-15 N/A
Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5.
CVE-2025-11193 1 Lenovo 2 Tablet, Yoga 2026-04-15 5.5 Medium
A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.
CVE-2025-11278 1 Allstarlink 2 Allmon2, Supermon 2026-04-15 4.3 Medium
A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-22374 2026-04-15 N/A
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web, affecting versions prior to 1.1.3. This vulnerability has been patched in versions after 1.1.3. Leaving this vulnerability unpatched could lead to unauthorized access to the underlying infrastructure.
CVE-2025-11308 1 Vanderlande 1 Baggage 360 2026-04-15 3.5 Low
A vulnerability was identified in Vanderlande Baggage 360 7.0.0. This issue affects some unknown processing of the file /api-addons/v1/messages. Such manipulation of the argument Message leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11560 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins.
CVE-2025-11565 1 Schneider-electric 1 Powerchute Serial Shutdown 2026-04-15 N/A
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload.
CVE-2025-12047 1 Lenovo 1 Scanner Pro 2026-04-15 5.3 Medium
A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the application.
CVE-2025-12463 1 Guetebruck 1 G-cam 2026-04-15 9.8 Critical
An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19.
CVE-2025-12465 1 Opensolution 1 Quick.cms 2026-04-15 N/A
A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVE-2025-12503 1 Digiwin 1 Easyflow .net 2026-04-15 6.5 Medium
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2025-48397 1 Eaton 1 Brightlayer Software Suite 2026-04-15 7.1 High
The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).
CVE-2025-12623 1 Fushengqian 1 Fuint 2026-04-15 3.1 Low
A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
CVE-2025-12626 1 Jeecg 1 Jeecgboot 2026-04-15 4.3 Medium
A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. This affects the function getImgUrl of the file WxActGoldeneggsPrizesController.java. Performing manipulation of the argument imgurl results in path traversal. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The root cause was initially fixed but can be evaded with additional encoding.
CVE-2025-12630 1 Wordpress 1 Wordpress 2026-04-15 4.9 Medium
The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.
CVE-2025-12903 3 Mrclayton, Woocommerce, Wordpress 3 Payment Plugins Braintree For Woocommerce, Woocommerce, Wordpress 2026-04-15 7.5 High
The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.
CVE-2025-12998 1 Typo3 1 Typo3 2026-04-15 N/A
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5.