Search Results (366372 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-48204 1 Hanzhou Haboo 1 Network Management System 2026-04-15 9.8 Critical
SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script.
CVE-2024-48206 1 Chainer 1 Chainer 2026-04-15 9.8 Critical
A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code.
CVE-2024-48214 1 Keruistore 1 Kerui Hd 3mp 1080p Tuya Camera Firmware 2026-04-15 8.4 High
KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By that, the attacker can execute arbitrary code on the camera.
CVE-2024-48217 1 Sismart 1 Cms 2026-04-15 8.8 High
An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation.
CVE-2024-48234 1 Mipjz Project 1 Mipjz 2026-04-15 4.9 Medium
An issue was discovered in mipjz 5.0.5. In the push method of app\tag\controller\ApiAdminTag.php the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in Server-side request forgery (SSRF) vulnerability that can read server files.
CVE-2024-4826 2026-04-15 9.8 Critical
SQL injection vulnerability in Simple PHP Shopping Cart affecting version 0.9. This vulnerability could allow an attacker to retrieve all the information stored in the database by sending a specially crafted SQL query, due to the lack of proper sanitisation of the category_id parameter in the category.php file.
CVE-2024-48289 2026-04-15 6.5 Medium
An issue in the Bluetooth Low Energy implementation of Cypress Bluetooth SDK v3.66 allows attackers to cause a Denial of Service (DoS) via supplying a crafted LL_PAUSE_ENC_REQ packet.
CVE-2024-48292 2 Quickheal Antivirus Pro, Quickheal Total Security 2 Quickheal Antivirus Pro, Quickheal Total Security 2026-04-15 8.8 High
An issue in the wssrvc.exe service of QuickHeal Antivirus Pro Version v24.0 and Quick Heal Total Security v24.0 allows authenticated attackers to escalate privileges.
CVE-2024-48293 1 Quickheal Antivirus Pro 1 Quickheal Antivirus Pro 2026-04-15 6.5 Medium
Incorrect access control in QuickHeal Antivirus Pro 24.1.0.182 and earlier allows authenticated attackers with low-level privileges to arbitrarily modify antivirus settings.
CVE-2024-48294 1 Wondershare Pdf Reader 1 Wondershare Pdf Reader 2026-04-15 5.5 Medium
A NULL pointer dereference in the component libPdfCore.dll of Wondershare PDF Reader v1.0.9.2544 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CVE-2024-48310 2026-04-15 7.5 High
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.
CVE-2024-48312 1 Weblaudos 1 Weblaudos 2026-04-15 5.4 Medium
WebLaudos v20.8 (118) was discovered to contain a cross-site scripting (XSS) vulnerability via the login page.
CVE-2024-48322 1 Run.codes 1 Run.codes 2026-04-15 8.1 High
UsersController.php in Run.codes 1.5.2 and older has a reset password race condition vulnerability.
CVE-2024-48336 1 Magisk 1 Magisk 2026-04-15 8.4 High
The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a crafted package, aka Bug #8279. User interaction is not needed for exploitation.
CVE-2024-48346 1 Xtreme1-io 1 Xtreme1 2026-04-15 6.1 Medium
xtreme1 <= v0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems.
CVE-2024-4836 2026-04-15 7.5 High
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.
CVE-2024-4838 2026-04-15 7.5 High
The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-48396 1 Sohelamin 1 Chatbot 2026-04-15 6.1 Medium
AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript code. The chatbot fails to sanitize these inputs, leading to the execution of malicious scripts.
CVE-2024-4840 1 Redhat 1 Openstack 2026-04-15 5.5 Medium
An flaw was found in the OpenStack Platform (RHOSP) director, a toolset for installing and managing a complete RHOSP environment. Plaintext passwords may be stored in log files, which can expose sensitive information to anyone with access to the logs.
CVE-2024-48406 1 Umicat 1 Umicat 2026-04-15 9.8 Critical
Buffer Overflow vulnerability in SunBK201 umicat through v.0.3.2 and fixed in v.0.3.3 allows an attacker to execute arbitrary code via the power(uct_int_t x, uct_int_t n) in src/uct_upstream.c.