Search Results (509 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-43916 2026-04-15 3.4 Low
Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret."
CVE-2025-41720 1 Sauter 2 Ey-modulo 5 Devices, Modulo 6 Devices 2026-04-15 4.3 Medium
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.
CVE-2024-10772 1 Sick 2 Inspector61x Firmware, Inspector62x Firmware 2026-04-15 8.8 High
Since the firmware update is not validated, an attacker can install modified firmware on the device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.
CVE-2024-32008 1 Siemens 1 Spectrum Power 4 2026-04-15 7.8 High
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user.
CVE-2025-7344 2026-04-15 8.8 High
The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API.
CVE-2022-26323 2026-04-15 N/A
Incorrect Use of Privileged APIs vulnerability in OpenText™ Operations Bridge Manager, OpenText™ Operations Bridge Suite (Containerized), OpenText™ UCMDB ( Classic and Containerized) allows Privilege Escalation.  The vulnerability could allow authenticated attackers to elevate user privileges. This issue affects Operations Bridge Manager: through 2021.05; Operations Bridge Suite (Containerized): through 2021.05; UCMDB ( Classic and Containerized): through 2021.05.
CVE-2025-5323 2026-04-15 3.7 Low
A vulnerability, which was classified as problematic, has been found in fossasia open-event-server 1.19.1. This issue affects the function send_email_change_user_email of the file /fossasia/open-event-server/blob/development/app/api/helpers/mail.py of the component Mail Verification Handler. The manipulation leads to reliance on obfuscation or encryption of security-relevant inputs without integrity checking. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5241 2026-04-15 5.3 Medium
Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset.
CVE-2025-50503 2026-04-15 8.8 High
A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.
CVE-2025-47241 2026-04-15 4 Medium
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.
CVE-2024-33530 1 Jitsi 1 Meet 2026-04-15 7.5 High
In Jitsi Meet before 9391, a logic flaw in password-protected Jitsi meetings (that make use of a lobby) leads to the disclosure of the meeting password when a user is invited to a call after waiting in the lobby.
CVE-2024-36279 2026-04-15 5.3 Medium
Reliance on obfuscation or encryption of security-relevant inputs without integrity checking issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack.
CVE-2024-37018 1 Linuxfoundation 1 Opendaylight 2026-04-15 9.1 Critical
The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.
CVE-2025-29995 2026-04-15 N/A
This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users.
CVE-2024-5404 1 Ifm 4 Moneo For Microsoft Windows, Moneo Qha210, Moneo Qha300 and 1 more 2026-04-15 9.8 Critical
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
CVE-2025-10127 1 Daikin 1 Security Gateway 2026-04-15 9.8 Critical
Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.
CVE-2026-5863 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 8.8 High
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-29146 1 Apache 1 Tomcat 2026-04-14 7.5 High
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
CVE-2026-25177 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-14 8.8 High
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
CVE-2026-35663 1 Openclaw 1 Openclaw 2026-04-14 8.8 High
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.