Total
1449 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0266 | 1 Openstack | 2 Essex, Folsom | 2026-04-30 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in the `puppetlabs-cinder` module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable permissions, on the `cinder.conf` and `api-paste.ini` configuration files. A local user can exploit this by reading these files, which leads to the disclosure of OpenStack administrative passwords. This information disclosure could allow unauthorized access to sensitive OpenStack resources. | |||||
| CVE-2012-4453 | 3 Dracut Project, Fedoraproject, Redhat | 5 Dracut, Fedora, Enterprise Linux Desktop and 2 more | 2026-04-29 | 2.1 LOW | N/A |
| dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information. | |||||
| CVE-2011-2859 | 1 Google | 1 Chrome | 2026-04-29 | 6.8 MEDIUM | N/A |
| Google Chrome before 14.0.835.163 uses incorrect permissions for non-gallery pages, which has unspecified impact and attack vectors. | |||||
| CVE-2011-4361 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2026-04-29 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions. | |||||
| CVE-2010-4176 | 3 Dracut Project, Fedoraproject, Udev Project | 3 Dracut, Fedora, Udev | 2026-04-29 | 4.0 MEDIUM | N/A |
| plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty device file, which allows remote authenticated users to read terminal data from tty0 for local users. | |||||
| CVE-2011-2782 | 2 Google, Linux | 2 Chrome, Linux Kernel | 2026-04-29 | 4.3 MEDIUM | N/A |
| The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2013-4394 | 2 Debian, Systemd Project | 2 Debian Linux, Systemd | 2026-04-29 | 5.9 MEDIUM | N/A |
| The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters." | |||||
| CVE-2011-1435 | 1 Google | 1 Chrome | 2026-04-29 | 5.0 MEDIUM | N/A |
| Google Chrome before 11.0.696.57 does not properly implement the tabs permission for extensions, which allows remote attackers to read local files via a crafted extension. | |||||
| CVE-2024-22301 | 1 Eduva | 1 Albo Pretorio Online | 2026-04-28 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6. | |||||
| CVE-2023-23976 | 1 Metagauss | 1 Registrationmagic | 2026-04-28 | N/A | 7.5 HIGH |
| Incorrect Default Permissions vulnerability in Metagauss RegistrationMagic allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects RegistrationMagic: from n/a through 5.1.9.2. | |||||
| CVE-2025-1789 | 1 Genetec | 1 Genetec Update Service | 2026-04-26 | N/A | 7.8 HIGH |
| Local privilege escalation in Genetec Update Service. An authenticated, low-privileged, Windows user could exploit this vulnerability to gain elevated privileges on the affected system. | |||||
| CVE-2006-5014 | 1 Cpanel | 1 Cpanel | 2026-04-23 | 9.0 HIGH | 8.8 HIGH |
| Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin. | |||||
| CVE-2026-6819 | 2026-04-22 | N/A | 8.8 HIGH | ||
| HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system. | |||||
| CVE-2026-6823 | 2026-04-22 | N/A | 8.2 HIGH | ||
| HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools. | |||||
| CVE-2026-0539 | 2026-04-22 | N/A | N/A | ||
| Incorrect Default Permissions in pcvisit service binary on Windows allows a low-privileged local attacker to escalate their privileges by overwriting the service binary with arbitrary contents. This service binary is automatically launched with NT\SYSTEM privileges on boot. This issue affects all versions after 22.6.22.1329 and was fixed in 25.12.3.1745. | |||||
| CVE-2026-30811 | 1 Artica | 1 Pandora Fms | 2026-04-22 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800 | |||||
| CVE-2013-0632 | 1 Adobe | 1 Coldfusion | 2026-04-21 | 10.0 HIGH | 9.8 CRITICAL |
| administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013. | |||||
| CVE-2026-39454 | 2026-04-20 | N/A | 7.8 HIGH | ||
| SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installation folder of the product. As a result, arbitrary code may be executed with the administrative privilege. | |||||
| CVE-2025-32453 | 1 Intel | 324 Arc 130t, Arc 130v, Arc 140t and 321 more | 2026-04-20 | N/A | 6.7 MEDIUM |
| Incorrect default permissions for some Intel(R) Graphics Driver software within Ring 2: Privileged Process may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | |||||
| CVE-2026-21013 | 1 Samsung | 1 Galaxy Wearable | 2026-04-16 | N/A | 5.5 MEDIUM |
| Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information. | |||||