Export limit exceeded: 363261 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363261 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-6080 2 Lakeside Software, Lakesidesoftware 2 Systrack Lsiagent Installer, Systrack Lsiagent 2026-04-01 7.8 High
Lakeside Software’s SysTrack LsiAgent Installer version 10.7.8 for Windows contains a local privilege escalation vulnerability which allows attackers SYSTEM level access.
CVE-2025-70033 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 5.4 Medium
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
CVE-2025-70032 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 6.1 Medium
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
CVE-2025-70030 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 7.5 High
An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
CVE-2025-70031 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 8.8 High
An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
CVE-2025-70028 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 7.5 High
An issue pertaining to CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
CVE-2026-5045 1 Tenda 2 Fh1201, Fh1201 Firmware 2026-04-01 8.8 High
A vulnerability was detected in Tenda FH1201 1.2.0.14(408). This impacts the function WrlclientSet of the file /goform/WrlclientSet of the component Parameter Handler. Performing a manipulation of the argument GO results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVE-2026-33572 1 Openclaw 1 Openclaw 2026-04-01 8.4 High
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.
CVE-2026-32974 1 Openclaw 1 Openclaw 2026-04-01 8.6 High
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.
CVE-2025-70029 2 Sunbird, Sunbird-ed 2 Sunbirded-portal, Sunbirded-portal 2026-04-01 7.5 High
An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options
CVE-2026-31958 1 Tornadoweb 1 Tornado 2026-04-01 7.5 High
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
CVE-2025-62969 2 Wordpress, Xlplugins 2 Wordpress, Nextmove 2026-04-01 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Stored XSS.This issue affects NextMove Lite: from n/a through <= 2.23.0.
CVE-2026-3321 1 On24 2 On24 Q&a Chat, On24 Q A Chat 2026-04-01 N/A
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
CVE-2026-4317 1 Umami Software Application 1 Umami Software 2026-04-01 N/A
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
CVE-2025-14213 1 Cato Networks 1 Socket 2026-04-01 N/A
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system.
CVE-2026-5190 1 Aws 1 Aws-c-event-stream 2026-04-01 7.5 High
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.
CVE-2026-5020 1 Totolink 2 A3600r, A3600r Firmware 2026-04-01 6.3 Medium
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
CVE-2026-34509 1 Openclaw 1 Openclaw 2026-04-01 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-34508 1 Openclaw 1 Openclaw 2026-04-01 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-9497 1 Microchip 1 Timeprovider 4100 2026-04-01 9.8 Critical
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.