Total
497 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67298 | 1 Classroomio | 1 Classroomio | 2026-04-07 | N/A | 8.1 HIGH |
| An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile | |||||
| CVE-2026-34778 | 2026-04-04 | N/A | 5.9 MEDIUM | ||
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0. | |||||
| CVE-2026-33175 | 2026-04-03 | N/A | 8.8 HIGH | ||
| OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0. | |||||
| CVE-2026-33433 | 1 Traefik | 1 Traefik | 2026-04-03 | N/A | 8.8 HIGH |
| Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue. | |||||
| CVE-2025-43503 | 1 Apple | 5 Ipados, Iphone Os, Safari and 2 more | 2026-04-02 | N/A | 4.3 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Visiting a malicious website may lead to user interface spoofing. | |||||
| CVE-2025-43493 | 1 Apple | 4 Ipados, Iphone Os, Safari and 1 more | 2026-04-02 | N/A | 4.3 MEDIUM |
| The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1. Visiting a malicious website may lead to address bar spoofing. | |||||
| CVE-2024-27853 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 4.4 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4. A maliciously crafted ZIP archive may bypass Gatekeeper checks. | |||||
| CVE-2026-32229 | 1 Jetbrains | 1 Hub | 2026-04-02 | N/A | 6.8 MEDIUM |
| In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | |||||
| CVE-2026-0385 | 1 Microsoft | 1 Edge Chromium | 2026-04-01 | N/A | 5.0 MEDIUM |
| Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | |||||
| CVE-2025-32275 | 1 Ays-pro | 1 Survey Maker | 2026-04-01 | N/A | 5.3 MEDIUM |
| Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker survey-maker allows Identity Spoofing.This issue affects Survey Maker: from n/a through <= 5.1.6.3. | |||||
| CVE-2025-32227 | 2026-04-01 | N/A | N/A | ||
| Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identity Spoofing.This issue affects Asgaros Forum: from n/a through <= 3.0.0. | |||||
| CVE-2025-24628 | 2026-04-01 | N/A | N/A | ||
| Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through <= 1.78. | |||||
| CVE-2024-45453 | 2026-04-01 | N/A | N/A | ||
| Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect jf3-maintenance-mode.This issue affects Maintenance Redirect: from n/a through <= 2.0.1. | |||||
| CVE-2024-43944 | 2026-04-01 | N/A | N/A | ||
| Authentication Bypass by Spoofing vulnerability in ilyasine Maintenance & Coming Soon Redirect Animation maintenance-coming-soon-redirect-animation allows Identity Spoofing.This issue affects Maintenance & Coming Soon Redirect Animation: from n/a through <= 2.3.3. | |||||
| CVE-2024-37430 | 2026-04-01 | N/A | N/A | ||
| Authentication Bypass by Spoofing vulnerability in patreon Patreon WordPress patreon-connect.This issue affects Patreon WordPress: from n/a through <= 1.9.0. | |||||
| CVE-2024-21746 | 1 Wpmet | 1 Wp Ultimate Review | 2026-04-01 | N/A | 7.5 HIGH |
| Authentication Bypass by Spoofing vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Identity Spoofing.This issue affects Wp Ultimate Review: from n/a through <= 2.3.6. | |||||
| CVE-2026-33661 | 1 Yansongda | 1 Pay | 2026-04-01 | N/A | 8.6 HIGH |
| Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue. | |||||
| CVE-2026-33654 | 2026-03-30 | N/A | N/A | ||
| nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue. | |||||
| CVE-2026-30975 | 1 Sonarr | 1 Sonarr | 2026-03-30 | N/A | 8.1 HIGH |
| Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution. | |||||
| CVE-2026-24372 | 2026-03-30 | N/A | 7.5 HIGH | ||
| Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10. | |||||