Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367102 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13467 1 Redhat 1 Build Keycloak 2026-04-15 5.5 Medium
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
CVE-2025-13466 1 Expressjs 1 Body-parser 2026-04-15 5.3 Medium
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.
CVE-2025-13470 1 Ribose 1 Rnp 2026-04-15 7.5 High
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path.
CVE-2025-13483 1 Sircom 1 Smart Alert 2026-04-15 N/A
SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application.
CVE-2025-13486 2 Hwk-fr, Wordpress 2 Advanced Custom Fields, Wordpress 2026-04-15 9.8 Critical
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
CVE-2025-13491 1 Ibm 1 App Connect Enterprise Certified Container 2026-04-15 5.1 Medium
IBM App Connect Enterprise Certified Container CD: 11.2.0 through 11.6.0, 12.1.0 through 12.19.0 and 12.0 LTS: 12.0.0 through 12.0.19 could allow an attacker to access sensitive files or modify configurations due to an untrusted search path.
CVE-2025-13524 4 Amazon, Apple, Linux and 1 more 4 Aws Wickr, Macos, Linux and 1 more 2026-04-15 5.7 Medium
Improper resource release in the call termination process in AWS Wickr before version 6.62.13 on Windows, macOS and Linux may allow a call participant to continue receiving audio input from another user after they close their call window. This issue occurs under certain conditions, which require the affected user to take a particular action within the application To mitigate this issue, users should upgrade AWS Wickr, Wickr Gov and Wickr Enterprise desktop version to version 6.62.13.
CVE-2025-1353 2026-04-15 7 High
A vulnerability was found in Kong Insomnia up to 10.3.0 and classified as critical. This issue affects some unknown processing in the library profapi.dll. The manipulation leads to untrusted search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The real existence of this vulnerability is still doubted at the moment. The vendor is not able to reproduce the issue.
CVE-2025-13532 1 Fortra 1 Boks 2026-04-15 6.2 Medium
Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms.  This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.
CVE-2025-1354 1 Asus 2 Rt-n10e, Rt-n12e 2026-04-15 N/A
A cross-site scripting (XSS) vulnerability in the RT-N10E/ RT-N12E 2.0.0.x firmware . This vulnerability caused by improper input validation and can be triggered via the manipulation of the SSID argument in the sysinfo.asp file, leading to disclosure of sensitive information. Note: All versions of RT-N10E and RT-N12E are unsupported (End-of-Life, EOL). Consumers can mitigate this vulnerability by disabling the remote access features from WAN
CVE-2025-13566 1 Jarun 1 Nnn 2026-04-15 3.3 Low
A security vulnerability has been detected in jarun nnn up to 5.1. The impacted element is the function show_content_in_floating_window/run_cmd_as_plugin of the file nnn/src/nnn.c. The manipulation leads to double free. An attack has to be approached locally. The identifier of the patch is 2f07ccdf21e705377862e5f9dfa31e1694979ac7. It is suggested to install a patch to address this issue.
CVE-2025-1357 2026-04-15 4.3 Medium
A vulnerability classified as problematic has been found in Seventh D-Guard up to 20250206. This affects an unknown part of the component HTTP GET Request Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-1358 2026-04-15 4.3 Medium
A vulnerability classified as problematic was found in Pix Software Vivaz 6.0.10. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-0057 2026-04-15 4.8 Medium
SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser.
CVE-2025-13589 1 Otsuka 1 Fms 2026-04-15 N/A
FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
CVE-2025-13588 1 Lkinderbuno 1 Streamity Xtream Iptv Player 2026-04-15 6.3 Medium
A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component.
CVE-2025-1359 2026-04-15 4.3 Medium
A vulnerability, which was classified as problematic, has been found in SIAM Industria de Automação e Monitoramento SIAM 2.0. This issue affects some unknown processing of the file /qrcode.jsp. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-0067 2026-04-15 6.3 Medium
Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the application server. This could lead to low impact on confidentiality, integrity, and availability of the application.
CVE-2025-13607 1 D-link 1 Dcs-f5614-l1 2026-04-15 9.4 Critical
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
CVE-2025-0422 2026-04-15 N/A
An authenticated user in the "bestinformed Web" application can execute commands on the underlying server running the application. (Remote Code Execution) For this, the user must be able to create "ScriptVars" with the type „script" and preview them by, for example, creating a new "Info". By default, admin users have those permissions, but with the granular permission system, those permissions may be assigned to other users. An attacker is able to execute commands on the server running the "bestinformed Web" application if an account with the correct permissions was compromised before.