Total
2147 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-6827 | 1 Symantec | 1 Altiris Deployment Solution | 2026-04-23 | 6.8 MEDIUM | 7.8 HIGH |
| The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function. | |||||
| CVE-2007-0956 | 3 Canonical, Debian, Mit | 3 Ubuntu Linux, Debian Linux, Kerberos 5 | 2026-04-23 | 10.0 HIGH | N/A |
| The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. | |||||
| CVE-2009-1780 | 1 Frax | 1 Php Recommend | 2026-04-23 | 7.5 HIGH | N/A |
| admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters. | |||||
| CVE-2026-4187 | 2026-04-22 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1920 | 2026-04-22 | N/A | 5.3 MEDIUM | ||
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins. | |||||
| CVE-2026-1919 | 2026-04-22 | N/A | 5.3 MEDIUM | ||
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. | |||||
| CVE-2026-40050 | 2026-04-22 | N/A | 9.8 CRITICAL | ||
| CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing. | |||||
| CVE-2026-24177 | 2026-04-22 | N/A | 7.7 HIGH | ||
| NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure. | |||||
| CVE-2026-5749 | 2026-04-22 | N/A | N/A | ||
| Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API. | |||||
| CVE-2026-22192 | 1 Gvectors | 1 Wpdiscuz | 2026-04-22 | N/A | 9.9 CRITICAL |
| Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials. | |||||
| CVE-2026-32646 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 7.5 HIGH |
| A specific administrative endpoint is accessible without proper authentication, exposing device management functions. | |||||
| CVE-2026-28767 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 5.3 MEDIUM |
| A specific administrative endpoint notifications is accessible without proper authentication. | |||||
| CVE-2026-28766 | 1 Mygardyn | 1 Cloud Api | 2026-04-22 | N/A | 9.3 CRITICAL |
| A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication. | |||||
| CVE-2026-32962 | 1 Silextechnology | 3 Amc Manager, Sd-330ac, Sd-330ac Firmware | 2026-04-22 | N/A | 5.3 MEDIUM |
| SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue. The device configuration may be altered without authentication. | |||||
| CVE-2025-71257 | 1 Bmc | 1 Footprints Itsm | 2026-04-22 | N/A | 7.3 HIGH |
| BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. | |||||
| CVE-2026-32957 | 1 Silextechnology | 3 Amc Manager, Sd-330ac, Sd-330ac Firmware | 2026-04-22 | N/A | 5.3 MEDIUM |
| SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue on firmware maintenance. Arbitrary file may be uploaded on the device without authentication. | |||||
| CVE-2010-5326 | 1 Sap | 1 Netweaver Application Server Java | 2026-04-22 | 10.0 HIGH | 10.0 CRITICAL |
| The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. | |||||
| CVE-2017-10271 | 1 Oracle | 1 Weblogic Server | 2026-04-21 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2026-40184 | 1 Mauriceboe | 1 Trek | 2026-04-21 | N/A | 3.7 LOW |
| TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2. | |||||
| CVE-2019-25568 | 1 Microvirt | 1 Memu | 2026-04-21 | N/A | 9.8 CRITICAL |
| Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges when the service restarts after a computer reboot. | |||||