Total
216 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26689 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered. | |||||
| CVE-2025-48202 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2025-48201 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | |||||
| CVE-2024-9945 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. | |||||
| CVE-2025-1542 | 2026-04-15 | N/A | N/A | ||
| Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0. | |||||
| CVE-2024-6414 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Parsec Automation TrakSYS 11.x.x. Affected is an unknown function of the file TS/export/contentpage of the component Export Page. The manipulation of the argument ID leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-270000. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-65011 | 2026-04-15 | N/A | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-2595 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing. | |||||
| CVE-2025-53073 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions (such as adding a comment) without being a member of the project's team. A seven-digit issue ID must be known (it is not treated as a secret and might be mentioned publicly, or it could be predicted). | |||||
| CVE-2025-26381 | 2026-04-15 | N/A | N/A | ||
| Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | |||||
| CVE-2025-31971 | 2026-04-15 | N/A | 5.1 MEDIUM | ||
| AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information. | |||||
| CVE-2024-6188 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Parsec Automation TrackSYS 11.x.x and classified as problematic. This issue affects some unknown processing of the file /TS/export/pagedefinition. The manipulation of the argument ID leads to direct request. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269159. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48205 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2025-32367 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions. | |||||
| CVE-2024-7153 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Netgear WN604 up to 20240719. Affected is an unknown function of the file siteSurvey.php. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48207 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2022-43110 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | |||||
| CVE-2026-0650 | 2026-04-15 | N/A | N/A | ||
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | |||||
| CVE-2025-27581 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 allows users who lack the InET role to access the InET module via direct requests to known endpoints. | |||||
| CVE-2025-59797 | 2026-04-15 | N/A | 5.8 MEDIUM | ||
| Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | |||||