Total
2285 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-33715 | 1 Chamilo | 1 Chamilo Lms | 2026-04-23 | N/A | 7.2 HIGH |
| Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3. | |||||
| CVE-2026-25058 | 1 Vexa | 1 Vexa | 2026-04-23 | N/A | 7.5 HIGH |
| Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue. | |||||
| CVE-2026-26944 | 1 Dell | 2 Data Domain Operating System, Powerprotect Dp Series Appliance | 2026-04-23 | N/A | 8.8 HIGH |
| Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. Exploitation requires an authenticated user to perform a specific action. | |||||
| CVE-2026-34285 | 1 Oracle | 1 Identity Manager Connector | 2026-04-23 | N/A | 9.1 CRITICAL |
| Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | |||||
| CVE-2026-34286 | 1 Oracle | 1 Identity Manager Connector | 2026-04-23 | N/A | 9.1 CRITICAL |
| Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | |||||
| CVE-2026-34288 | 1 Oracle | 1 Identity Manager Connector | 2026-04-23 | N/A | 5.9 MEDIUM |
| Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2026-34289 | 1 Oracle | 1 Identity Manager Connector | 2026-04-23 | N/A | 5.9 MEDIUM |
| Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2008-6827 | 1 Symantec | 1 Altiris Deployment Solution | 2026-04-23 | 6.8 MEDIUM | 7.8 HIGH |
| The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function. | |||||
| CVE-2007-0956 | 3 Canonical, Debian, Mit | 3 Ubuntu Linux, Debian Linux, Kerberos 5 | 2026-04-23 | 10.0 HIGH | N/A |
| The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. | |||||
| CVE-2009-1780 | 1 Frax | 1 Php Recommend | 2026-04-23 | 7.5 HIGH | N/A |
| admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters. | |||||
| CVE-2026-4187 | 2026-04-22 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1920 | 2026-04-22 | N/A | 5.3 MEDIUM | ||
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins. | |||||
| CVE-2026-1919 | 2026-04-22 | N/A | 5.3 MEDIUM | ||
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. | |||||
| CVE-2026-40050 | 2026-04-22 | N/A | 9.8 CRITICAL | ||
| CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing. | |||||
| CVE-2026-24177 | 2026-04-22 | N/A | 7.7 HIGH | ||
| NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure. | |||||
| CVE-2026-22192 | 1 Gvectors | 1 Wpdiscuz | 2026-04-22 | N/A | 9.9 CRITICAL |
| Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials. | |||||
| CVE-2026-32646 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 7.5 HIGH |
| A specific administrative endpoint is accessible without proper authentication, exposing device management functions. | |||||
| CVE-2026-28767 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 5.3 MEDIUM |
| A specific administrative endpoint notifications is accessible without proper authentication. | |||||
| CVE-2026-28766 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 9.3 CRITICAL |
| A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication. | |||||
| CVE-2026-32962 | 1 Silextechnology | 3 Amc Manager, Sd-330ac, Sd-330ac Firmware | 2026-04-22 | N/A | 5.3 MEDIUM |
| SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue. The device configuration may be altered without authentication. | |||||