Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (367102 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1272 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 7.7 High |
| The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux. | ||||
| CVE-2025-12699 | 1 Zoll | 1 Zoll Epcr Ios Mobile Application | 2026-04-15 | 5.5 Medium |
| The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app's runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry. | ||||
| CVE-2025-25331 | 2026-04-15 | 5.5 Medium | ||
| An issue in Beitatong Technology LianJia iOS 9.83.50 allows attackers to access sensitive user information via supplying a crafted link. | ||||
| CVE-2025-12684 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins. | ||||
| CVE-2025-12677 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured. | ||||
| CVE-2024-42911 | 2026-04-15 | 7.4 High | ||
| ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability. | ||||
| CVE-2025-1265 | 2026-04-15 | 9.9 Critical | ||
| An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system. | ||||
| CVE-2025-12633 | 2 Stellarwp, Wordpress | 2 Booking Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | ||||
| CVE-2025-12636 | 1 Ubia | 1 Ubox | 2026-04-15 | 6.5 Medium |
| The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings. | ||||
| CVE-2025-12628 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them | ||||
| CVE-2025-12613 | 1 Cloudinary | 1 Cloudinary | 2026-04-15 | 8.6 High |
| Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response. | ||||
| CVE-2025-1260 | 1 Arista | 1 Eos | 2026-04-15 | 9.1 Critical |
| On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch. | ||||
| CVE-2025-1259 | 2026-04-15 | 7.7 High | ||
| On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available | ||||
| CVE-2025-12592 | 1 Vivotek | 1 Camera | 2026-04-15 | N/A |
| Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. | ||||
| CVE-2025-12569 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.7 Medium |
| The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | ||||
| CVE-2025-12548 | 1 Redhat | 1 Openshift Devspaces | 2026-04-15 | 9 Critical |
| A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. | ||||
| CVE-2025-12509 | 1 Bizerba | 1 Brain2 | 2026-04-15 | 8.4 High |
| On a client with an admin user, a Global_Shipping script can be implemented. The script could later be executed on the BRAIN2 server with administrator rights. | ||||
| CVE-2025-12508 | 2 Bizerba, Microsoft | 2 Brain2, Active Directory | 2026-04-15 | 8.4 High |
| When using domain users as BRAIN2 users, communication with Active Directory services is unencrypted. This can lead to the interception of authentication data and compromise confidentiality. | ||||
| CVE-2025-12507 | 2 Bizerba, Microsoft | 2 Communication Server, Windows | 2026-04-15 | 8.8 High |
| The service Bizerba Communication Server (BCS) has an unquoted service path. Due to the way Windows searches the executable for the BCS service, malicious programs can be executed. | ||||
| CVE-2024-39327 | 2026-04-15 | 9.9 Critical | ||
| Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way. | ||||