Export limit exceeded: 352371 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3312 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65007 | 2026-04-15 | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-59097 | 1 Dormakaba | 1 Access Manager | 2026-04-15 | N/A |
| The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | ||||
| CVE-2025-6029 | 2026-04-15 | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | ||||
| CVE-2025-10991 | 1 Tp-link | 3 Tapo, Tapo D230s1, Tp-link | 2026-04-15 | N/A |
| The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907. | ||||
| CVE-2025-30111 | 2026-04-15 | 7.5 High | ||
| On IROAD v9 devices, one can Remotely Dump Video Footage and the Live Video Stream. The dashcam exposes endpoints that allow unauthorized users, who gained access through other means, to list and download recorded videos, as well as access live video streams without proper authentication. | ||||
| CVE-2024-1573 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2026-04-15 | 5.9 Medium |
| Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper Historian versions 10.97.2 and prior, Mitsubishi Electric AnalytiX versions 10.97.2 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 and prior, Mitsubishi Electric IoTWorX version 10.95, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 and prior, and Mitsubishi Electric Iconics Digital Solutions IoTWorX version 10.95 allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: (1) Active Directory is used in the security setting (2) "Automatic log in" option is enabled in the security setting (3) The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. (4) The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONCIS Suite, and MC Works64 Security and has permission to log in. | ||||
| CVE-2025-23017 | 2026-04-15 | 6 Medium | ||
| WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred. | ||||
| CVE-2024-49399 | 1 Elvaco | 1 Cme3100 Firmware | 2026-04-15 | N/A |
| The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information. | ||||
| CVE-2025-55138 | 2026-04-15 | 7.4 High | ||
| LinkJoin through 882f196 mishandles token ownership in password reset. | ||||
| CVE-2024-10649 | 2026-04-15 | N/A | ||
| wandb/openui latest commit c945bb859979659add5f490a874140ad17c56a5d contains a vulnerability where unauthenticated endpoints allow file uploads and downloads from an AWS S3 bucket. This can lead to multiple security issues including denial of service, stored XSS, and information disclosure. The affected endpoints are '/v1/share/{id:str}' for uploading and '/v1/share/{id:str}' for downloading JSON files. The lack of authentication allows any user to upload and overwrite files, potentially causing the S3 bucket to run out of space, injecting malicious scripts, and accessing sensitive information. | ||||
| CVE-2024-12511 | 2026-04-15 | 7.6 High | ||
| With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | ||||
| CVE-2025-41232 | 2026-04-15 | 9.1 Critical | ||
| Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if: * You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or * You have no Spring Security-annotated private methods | ||||
| CVE-2024-2051 | 2026-04-15 | 9.8 Critical | ||
| CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form. | ||||
| CVE-2014-125113 | 2 Dell, Quest | 2 Kace K1000 Systems Management Appliance Software, Kace Systems Management Appliance | 2026-04-15 | N/A |
| An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths. | ||||
| CVE-2020-36871 | 1 Escam | 1 Qd-900 Wifi Hd Camera | 2026-04-15 | N/A |
| ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup can include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that may facilitate further compromise of the camera or connected network. | ||||
| CVE-2025-60251 | 1 Unitree | 4 B2, G1, Go2 and 1 more | 2026-04-15 | 5 Medium |
| Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | ||||
| CVE-2025-1496 | 2026-04-15 | 6.5 Medium | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in BG-TEK Coslat Hotspot allows Password Brute Forcing, Authentication Abuse.This issue affects Coslat Hotspot: before 6.26.0.R.20250227. | ||||
| CVE-2024-57725 | 2026-04-15 | 6.5 Medium | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | ||||
| CVE-2024-48775 | 1 Starvedia | 1 Ezset Firmware | 2026-04-15 | 7.5 High |
| An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2025-46801 | 2026-04-15 | N/A | ||
| Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database. | ||||