Total
216 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-7500 | 2026-04-30 | N/A | 5.4 MEDIUM | ||
| When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API. | |||||
| CVE-2025-15153 | 1 Pbootcms | 1 Pbootcms | 2026-04-29 | 2.6 LOW | 3.7 LOW |
| A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing a manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. Modifying the configuration settings is advised. | |||||
| CVE-2025-10287 | 2026-04-29 | 2.1 LOW | 3.1 LOW | ||
| A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11280 | 1 Frappe | 1 Learning | 2026-04-29 | 2.6 LOW | 3.7 LOW |
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-14697 | 2026-04-29 | 2.6 LOW | 3.7 LOW | ||
| A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4900 | 2026-04-24 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings. | |||||
| CVE-2026-25679 | 1 Golang | 1 Go | 2026-04-21 | N/A | 7.5 HIGH |
| url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |||||
| CVE-2024-58343 | 2026-04-17 | N/A | 4.3 MEDIUM | ||
| Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | |||||
| CVE-2026-22732 | 1 Vmware | 1 Spring Security | 2026-04-16 | N/A | 9.1 CRITICAL |
| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. | |||||
| CVE-2005-1685 | 1 Episodex | 1 Episodex Guestbook | 2026-04-16 | 7.5 HIGH | N/A |
| episodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp. | |||||
| CVE-2005-1698 | 1 Postnuke | 1 Postnuke | 2026-04-16 | 5.0 MEDIUM | N/A |
| PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitive information via a direct request to (1) theme.php or (2) Xanthia.php in the Xanthia module, (3) user.php, (4) thelang.php, (5) text.php, (6) html.php, (7) menu.php, (8) finclude.php, or (9) button.php in the pnblocks directory in the Blocks module, (10) config.php in the NS-Multisites (aka Multisites) module, or (11) xmlrpc.php, which reveals the path in an error message. | |||||
| CVE-2005-1697 | 1 Postnuke | 1 Postnuke | 2026-04-16 | 5.0 MEDIUM | N/A |
| The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote attackers to obtain sensitive information via a direct request to simple_smarty.php, which reveals the path in an error message. | |||||
| CVE-2002-1798 | 1 Midicart | 3 Midicart Php, Midicart Php Maxi, Midicart Php Plus | 2026-04-16 | 6.4 MEDIUM | 9.1 CRITICAL |
| MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | |||||
| CVE-2004-2144 | 1 Baalsystems | 1 Baal Smart Forms | 2026-04-16 | 7.5 HIGH | N/A |
| Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php. | |||||
| CVE-2005-1654 | 1 Hostingcontroller | 1 Hosting Controller | 2026-04-16 | 7.5 HIGH | N/A |
| Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set. | |||||
| CVE-2005-1827 | 1 Dlink | 2 Dsl-504t, Dsl-504t Firmware | 2026-04-16 | 7.5 HIGH | N/A |
| D-Link DSL-504T allows remote attackers to bypass authentication and gain privileges, such as upgrade firmware, restart the router or restore a saved configuration, via a direct request to firmwarecfg. | |||||
| CVE-2005-1892 | 1 Flatnuke | 1 Flatnuke | 2026-04-16 | 6.4 MEDIUM | N/A |
| FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message. | |||||
| CVE-2005-1688 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. | |||||
| CVE-2005-1668 | 1 Yusasp | 1 Web Asset Manager | 2026-04-16 | 7.5 HIGH | N/A |
| YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp. | |||||
| CVE-2004-2257 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-04-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request. | |||||