Total
428 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7350 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled. | |||||
| CVE-2025-1313 | 2026-04-15 | N/A | 8.8 HIGH | ||
| The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2023-50915 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An issue exists in GalaxyClientService.exe in GOG Galaxy (Beta) 2.0.67.2 through 2.0.71.2 that could allow authenticated users to overwrite and corrupt critical system files via a combination of an NTFS Junction and an RPC Object Manager symbolic link and could result in a denial of service. | |||||
| CVE-2025-67998 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7. | |||||
| CVE-2024-46887 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load. | |||||
| CVE-2026-30079 | 1 Openairinterface | 1 Oai-cn5g-amf | 2026-04-14 | N/A | 9.8 CRITICAL |
| In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication. | |||||
| CVE-2026-35654 | 1 Openclaw | 1 Openclaw | 2026-04-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection. | |||||
| CVE-2026-35647 | 1 Openclaw | 1 Openclaw | 2026-04-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission. | |||||
| CVE-2026-35664 | 1 Openclaw | 1 Openclaw | 2026-04-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization. | |||||
| CVE-2026-35661 | 1 Openclaw | 1 Openclaw | 2026-04-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state. | |||||
| CVE-2026-4700 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||||
| CVE-2026-2791 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||||
| CVE-2026-2784 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||||
| CVE-2026-2775 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||||
| CVE-2025-3932 | 1 Mozilla | 1 Thunderbird | 2026-04-13 | N/A | 6.5 MEDIUM |
| It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1. | |||||
| CVE-2025-13018 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 8.1 HIGH |
| Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. | |||||
| CVE-2025-13013 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 6.1 MEDIUM |
| Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5. | |||||
| CVE-2025-10531 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 5.4 MEDIUM |
| Mitigation bypass in the Web Compatibility: Tooling component. This vulnerability was fixed in Firefox 143 and Thunderbird 143. | |||||
| CVE-2026-31151 | 1 Kaleris | 1 Yard Management Solutions | 2026-04-10 | N/A | 9.8 CRITICAL |
| An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources. | |||||
| CVE-2026-34372 | 1 Sulu | 1 Sulu | 2026-04-10 | N/A | 2.7 LOW |
| Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5. | |||||