Total
219 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53073 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions (such as adding a comment) without being a member of the project's team. A seven-digit issue ID must be known (it is not treated as a secret and might be mentioned publicly, or it could be predicted). | |||||
| CVE-2025-26381 | 2026-04-15 | N/A | N/A | ||
| Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | |||||
| CVE-2025-31971 | 2026-04-15 | N/A | 5.1 MEDIUM | ||
| AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information. | |||||
| CVE-2024-6188 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Parsec Automation TrackSYS 11.x.x and classified as problematic. This issue affects some unknown processing of the file /TS/export/pagedefinition. The manipulation of the argument ID leads to direct request. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269159. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48205 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2025-32367 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions. | |||||
| CVE-2024-7153 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Netgear WN604 up to 20240719. Affected is an unknown function of the file siteSurvey.php. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48207 | 2026-04-15 | N/A | 8.6 HIGH | ||
| The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2022-43110 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | |||||
| CVE-2026-0650 | 2026-04-15 | N/A | N/A | ||
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | |||||
| CVE-2025-27581 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 allows users who lack the InET role to access the InET module via direct requests to known endpoints. | |||||
| CVE-2025-59797 | 2026-04-15 | N/A | 5.8 MEDIUM | ||
| Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | |||||
| CVE-2025-52920 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID. | |||||
| CVE-2026-4532 | 1 Carmelo | 1 Simple Food Order System | 2026-04-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the component Database Backup Handler. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. It is recommended to change the configuration settings. | |||||
| CVE-2026-29909 | 1 Mrcms | 1 Mrcms | 2026-04-02 | N/A | 5.3 MEDIUM |
| MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials. | |||||
| CVE-2026-32867 | 1 Opexustech | 1 Ecase Ecomplaint | 2026-03-30 | N/A | 5.4 MEDIUM |
| OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage. | |||||
| CVE-2026-34051 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix. | |||||
| CVE-2026-34056 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available. | |||||
| CVE-2026-1978 | 1 Kalyan02 | 1 Nanocms | 2026-02-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | |||||
| CVE-2019-2388 | 1 Mongodb | 1 Ops Manager | 2026-02-23 | 5.0 MEDIUM | 5.8 MEDIUM |
| In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5. | |||||