Total
2147 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26280 | 2026-04-15 | N/A | 7.9 HIGH | ||
| Locally installed application can bypass the permission check and perform system operations that require permission. | |||||
| CVE-2025-7045 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service. | |||||
| CVE-2025-34100 | 2026-04-15 | N/A | N/A | ||
| An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution. | |||||
| CVE-2025-9160 | 2026-04-15 | N/A | N/A | ||
| A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution. | |||||
| CVE-2012-10062 | 2026-04-15 | N/A | N/A | ||
| A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server. | |||||
| CVE-2025-2567 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. | |||||
| CVE-2019-25236 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication. | |||||
| CVE-2024-23815 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | |||||
| CVE-2025-11771 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters. | |||||
| CVE-2020-36963 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. | |||||
| CVE-2022-50981 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | |||||
| CVE-2025-34101 | 2026-04-15 | N/A | N/A | ||
| An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls. | |||||
| CVE-2018-25136 | 2026-04-15 | N/A | 7.5 HIGH | ||
| FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg. | |||||
| CVE-2024-47865 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device. | |||||
| CVE-2024-6981 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication. | |||||
| CVE-2024-8751 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue. | |||||
| CVE-2025-65007 | 2026-04-15 | N/A | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2022-50977 | 2026-04-15 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | |||||
| CVE-2024-12511 | 2026-04-15 | N/A | 7.6 HIGH | ||
| With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | |||||
| CVE-2024-35294 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials. | |||||