Total
2285 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58318 | 2026-04-29 | N/A | N/A | ||
| Delta Electronics DIAView has an authentication bypass vulnerability. | |||||
| CVE-2026-2165 | 1 Detronetdip | 1 E-commerce | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-3192 | 1 Chia | 1 Blockchain | 2026-04-29 | 5.1 MEDIUM | 5.6 MEDIUM |
| A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | |||||
| CVE-2026-3053 | 1 Dinky | 1 Dinky | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-5676 | 2026-04-29 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-5906 | 1 Code-projects | 1 Laundry System | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in code-projects Laundry System 1.0. This affects an unknown part of the file /data/. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-6588 | 2026-04-29 | 6.4 MEDIUM | 6.5 MEDIUM | ||
| A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11661 | 1 Oranbyte | 1 School Management System | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery | |||||
| CVE-2026-0842 | 2026-04-29 | 5.8 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11529 | 1 Churchcrm | 1 Churchcrm | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue. | |||||
| CVE-2026-1410 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-04-29 | 6.2 MEDIUM | 6.4 MEDIUM |
| A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-7042 | 2026-04-29 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2065 | 1 Flycatcher | 2 Smart Pixelator, Smart Pixelator Firmware | 2026-04-29 | 5.8 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-6916 | 1 Totolink | 2 T6, T6 Firmware | 2026-04-29 | 8.3 HIGH | 8.8 HIGH |
| A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-11942 | 1 70mai | 2 X200, X200 Firmware | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-54013 | 2026-04-28 | N/A | N/A | ||
| Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds | |||||
| CVE-2026-3893 | 2026-04-28 | N/A | 9.4 CRITICAL | ||
| The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. | |||||
| CVE-2026-35064 | 1 Senselive | 2 X3500, X3500 Firmware | 2026-04-28 | N/A | 7.5 HIGH |
| A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices. | |||||
| CVE-2026-40620 | 1 Senselive | 2 X3500, X3500 Firmware | 2026-04-28 | N/A | 9.8 CRITICAL |
| A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client. | |||||
| CVE-2026-27843 | 1 Senselive | 2 X3500, X3500 Firmware | 2026-04-28 | N/A | 9.1 CRITICAL |
| A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems. | |||||