Total
219 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-34028 | 2026-06-15 | N/A | N/A | ||
| The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/. | |||||
| CVE-2026-11986 | 2026-06-11 | N/A | 4.9 MEDIUM | ||
| A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control. | |||||
| CVE-2026-7500 | 1 Redhat | 1 Build Of Keycloak | 2026-06-10 | N/A | 5.4 MEDIUM |
| When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API. | |||||
| CVE-2026-8205 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | N/A | 5.3 MEDIUM |
| Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | |||||
| CVE-2025-15587 | 2026-05-19 | N/A | N/A | ||
| Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0). | |||||
| CVE-2017-2161 | 1 Toshiba | 1 Flashair | 2026-05-13 | 2.7 LOW | 3.5 LOW |
| FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and earlier and FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04 and earlier allows authenticated attackers to bypass access restrictions to obtain unauthorized image data via unspecified vectors. | |||||
| CVE-2017-2143 | 1 Frogman Office Inc | 2 Cs-cart Japanese Edition, Cs-cart Multivendor Japanese Edition | 2026-05-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| CS-Cart Japanese Edition v4.3.10-jp-1 and earlier, CS-Cart Multivendor Japanese Edition v4.3.10-jp-1 and earlier allows remote attackers to bypass access restriction to create a request to return a customer purchased item via rma.post.php. | |||||
| CVE-2017-2139 | 1 Frogman Office Inc | 1 Cs-cart | 2026-05-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to bypass access restriction to obtain customer information via orders.pre.php. | |||||
| CVE-2017-15235 | 1 Horde | 1 Groupware | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename. | |||||
| CVE-2017-10833 | 1 Nippon-antenna | 2 Scr02hd, Scr02hd Firmware | 2026-05-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| "Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to bypass access restriction to view information or modify configurations via unspecified vectors. | |||||
| CVE-2017-14244 | 1 Iball | 2 Ib-wra150n, Ib-wra150n Firmware | 2026-05-13 | 10.0 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. | |||||
| CVE-2017-2486 | 1 Apple | 2 Iphone Os, Safari | 2026-05-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2015-2873 | 1 Trendmicro | 1 Deep Discovery Inspector | 2026-05-06 | 5.5 MEDIUM | N/A |
| Trend Micro Deep Discovery Inspector (DDI) on Deep Discovery Threat appliances with software before 3.5.1477, 3.6.x before 3.6.1217, 3.7.x before 3.7.1248, 3.8.x before 3.8.1263, and other versions allows remote attackers to obtain sensitive information or change the configuration via a direct request to the (1) system log URL, (2) whitelist URL, or (3) blacklist URL. | |||||
| CVE-2025-15153 | 1 Pbootcms | 1 Pbootcms | 2026-04-29 | 2.6 LOW | 3.7 LOW |
| A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing a manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. Modifying the configuration settings is advised. | |||||
| CVE-2025-10287 | 2026-04-29 | 2.1 LOW | 3.1 LOW | ||
| A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11280 | 1 Frappe | 1 Learning | 2026-04-29 | 2.6 LOW | 3.7 LOW |
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-14697 | 2026-04-29 | 2.6 LOW | 3.7 LOW | ||
| A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4900 | 2026-04-24 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings. | |||||
| CVE-2026-25679 | 1 Golang | 1 Go | 2026-04-21 | N/A | 7.5 HIGH |
| url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |||||
| CVE-2024-58343 | 2026-04-17 | N/A | 4.3 MEDIUM | ||
| Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | |||||