Export limit exceeded: 352517 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 352517 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352517 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43875 | 1 Johnsoncontrols | 5 Istar Edge G2, Istar Ultra, Istar Ultra G2 and 2 more | 2026-04-15 | N/A |
| Under certain circumstances a successful exploitation could result in access to the device. | ||||
| CVE-2025-43879 | 2026-04-15 | N/A | ||
| WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in the telnet function. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed. | ||||
| CVE-2025-43880 | 2026-04-15 | N/A | ||
| Inefficient regular expression complexity issue exists in GROWI prior to v7.1.6. If exploited, a logged-in user may cause a denial of service (DoS) condition. | ||||
| CVE-2025-43881 | 2026-04-15 | N/A | ||
| Improper validation of specified quantity in input issue exists in Real-time Bus Tracking System versions prior to 1.1. If exploited, a denial of service (DoS) condition may be caused by an attacker who can log in to the administrative page of the affected product. | ||||
| CVE-2025-4389 | 2026-04-15 | 9.8 Critical | ||
| The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-44044 | 2026-04-15 | 7.5 High | ||
| Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system. | ||||
| CVE-2025-43916 | 2026-04-15 | 3.4 Low | ||
| Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret." | ||||
| CVE-2025-43917 | 1 Pritunl | 1 Pritunl-client | 2026-04-15 | 8.2 High |
| In Pritunl Client before 1.3.4220.57, an administrator with access to /Applications can escalate privileges after uninstalling the product. Specifically, an administrator can insert a new file at the pathname of the removed pritunl-service file. This file then is executed by a LaunchDaemon as root. | ||||
| CVE-2025-43918 | 2026-04-15 | 6.4 Medium | ||
| SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain. | ||||
| CVE-2025-43922 | 1 Filewave | 1 Filewave | 2026-04-15 | 8.1 High |
| The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM. | ||||
| CVE-2025-41727 | 1 Beckhoff | 4 Beckhoff.device.manager.xar, Mdp Package, Twincat and 1 more | 2026-04-15 | 7.8 High |
| A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | ||||
| CVE-2025-41726 | 1 Beckhoff | 4 Beckhoff.device.manager.xar, Mdp Package, Twincat and 1 more | 2026-04-15 | 8.8 High |
| A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. | ||||
| CVE-2025-41723 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 9.8 Critical |
| The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations. | ||||
| CVE-2025-41722 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 7.5 High |
| The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. | ||||
| CVE-2025-41721 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 2.7 Low |
| A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate. | ||||
| CVE-2025-41720 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2026-04-15 | 4.3 Medium |
| A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. | ||||
| CVE-2025-4172 | 2026-04-15 | 6.4 Medium | ||
| The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-41718 | 1 Murrelektronik | 4 Firmware Impact67 Pro 54620, Firmware Impact67 Pro 54630, Firmware Impact67 Pro 54631 and 1 more | 2026-04-15 | 7.5 High |
| A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI. | ||||
| CVE-2025-41716 | 1 Wago | 1 Solution Builder | 2026-04-15 | 5.3 Medium |
| The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | ||||
| CVE-2025-40976 | 1 Workdo | 1 Ticketgo | 2026-04-15 | N/A |
| Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/ticketgo-saas/home’, using the ‘description’ parameter. | ||||