Total
2920 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2005-2136 | 1 Raritan | 10 Dominion Sx16, Dominion Sx16 Firmware, Dominion Sx32 and 7 more | 2026-04-16 | 4.6 MEDIUM | N/A |
| Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users. | |||||
| CVE-2021-3658 | 2 Bluez, Fedoraproject | 2 Bluez, Fedora | 2026-04-15 | 3.3 LOW | 6.5 MEDIUM |
| bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. | |||||
| CVE-2026-35645 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 8.1 HIGH |
| OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope. | |||||
| CVE-2026-34512 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 8.1 HIGH |
| OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. | |||||
| CVE-2026-35635 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 4.8 MEDIUM |
| OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts. | |||||
| CVE-2026-4639 | 1 Gss | 1 Vitalsesp | 2026-04-15 | N/A | 8.8 HIGH |
| Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges. | |||||
| CVE-2026-39381 | 1 Parseplatform | 1 Parse-server | 2026-04-15 | N/A | 4.3 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75. | |||||
| CVE-2018-11802 | 1 Apache | 1 Solr | 2026-04-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | |||||
| CVE-2025-3609 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation. | |||||
| CVE-2024-2378 | 2026-04-15 | N/A | 8.0 HIGH | ||
| A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations. | |||||
| CVE-2024-48787 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process. | |||||
| CVE-2024-54916 | 2026-04-15 | N/A | 6.8 MEDIUM | ||
| An issue in the SharedConfig class of Telegram Android APK v.11.7.0 allows a physically proximate attacker to bypass authentication and escalate privileges by manipulating the return value of the checkPasscode method. | |||||
| CVE-2024-50671 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users. | |||||
| CVE-2024-48542 | 2026-04-15 | N/A | 8.4 HIGH | ||
| Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
| CVE-2024-58260 | 2026-04-15 | N/A | 7.6 HIGH | ||
| A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | |||||
| CVE-2025-30741 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance. | |||||
| CVE-2025-59451 | 2026-04-15 | N/A | 3.5 LOW | ||
| The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes. | |||||
| CVE-2024-41617 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution. | |||||
| CVE-2024-51417 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| An issue in System.Linq.Dynamic.Core before 1.6.0 allows remote access to properties on reflection types and static properties/fields. | |||||
| CVE-2024-52732 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused. | |||||