Search Results (351250 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-7453 1 Saltbo 1 Zpan 2026-04-15 3.7 Low
A vulnerability was found in saltbo zpan up to 1.6.5/1.7.0-beta2. It has been rated as problematic. This issue affects the function NewToken of the file zpan/internal/app/service/token.go of the component JSON Web Token Handler. The manipulation with the input 123 leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-25684 2026-04-15 7.5 High
A lack of validation in the path parameter (/download) of GL-INet Beryl AX GL-MT3000 v4.7.0 allows attackers to download arbitrary files from the device's file system via a crafted POST request.
CVE-2025-26127 1 Filecloud 1 Filecloud 2026-04-15 5 Medium
A stored cross-site scripting (XSS) vulnerability in the Send for Approval function of FileCloud v23.241.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2025-9164 2 Docker, Microsoft 3 Desktop, Docker Desktop, Windows 2026-04-15 N/A
Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads folder before checking system directories, allowing local privilege escalation through malicious DLL placement.This issue affects Docker Desktop: through 4.48.0.
CVE-2025-0113 2026-04-15 N/A
A problem with the network isolation mechanism of the Palo Alto Networks Cortex XDR Broker VM allows attackers unauthorized access to Docker containers from the host network used by Broker VM. This may allow access to read files sent for analysis and logs transmitted by the Cortex XDR Agent to the Cortex XDR server.
CVE-2025-29939 1 Amd 8 Epyc 7003 Series Processors, Epyc 8004 Series Processors, Epyc 9004 Series Processors and 5 more 2026-04-15 N/A
Improper access control in secure encrypted virtualization (SEV) could allow a privileged attacker to write to the reverse map page (RMP) during secure nested paging (SNP) initialization, potentially resulting in a loss of guest memory confidentiality and integrity.
CVE-2025-29948 1 Amd 2 Epyc 9005 Series Processors, Epyc Embedded 9005 Series Processors 2026-04-15 N/A
Improper access control in AMD Secure Encrypted Virtualization (SEV) firmware could allow a malicious hypervisor to bypass RMP protections, potentially resulting in a loss of SEV-SNP guest memory integrity.
CVE-2025-29951 1 Amd 4 Ryzen 5000 Series Mobile Processors With Radeon Graphics, Ryzen Embedded R1000 Series Processors, Ryzen Embedded R2000 Series Processors and 1 more 2026-04-15 N/A
A buffer overflow in the AMD Secure Processor (ASP) bootloader could allow an attacker to overwrite memory, potentially resulting in privilege escalation and arbitrary code execution.
CVE-2025-30508 1 Intel 1 Intel Platforms 2026-04-15 6.5 Medium
Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2024-7074 2026-04-15 6.8 Medium
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.
CVE-2025-7917 2026-04-15 7.2 High
WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVE-2024-8685 2026-04-15 4.3 Medium
Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the ‘/pictory/php/getFileList.php’ endpoint in the ‘dir’ parameter.
CVE-2024-8684 2026-04-15 8.3 High
OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the ‘php/dal.php’ endpoint, in the ‘arrSaveConfig’ parameter.
CVE-2024-8679 2026-04-15 6.8 Medium
The Library Management System – Manage e-Digital Books Library plugin for WordPress is vulnerable to SQL Injection via the ‘value' parameter of the owt_lib_handler AJAX action in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-2366 1 Gougucms 1 Gougucms 2026-04-15 2.4 Low
A vulnerability, which was classified as problematic, was found in gougucms 4.08.18. This affects the function add of the file /admin/department/add of the component Add Department Page. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2365 1 Crmeb 1 Crmeb Java 2026-04-15 6.3 Medium
A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-8666 2026-04-15 6.4 Medium
The Shoutcast Icecast HTML5 Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'html5radio' shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-27708 1 Intel 1 Converged Security Management Engine Firmware 2026-04-15 4.1 Medium
Out-of-bounds read in the firmware for some Intel(R) Converged Security and Management Engine (CSME) Firmware (FW) within Ring 0: Kernel may allow an information disclosure. System software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2023-53948 1 Cat03 1 Lilac-reloaded 2026-04-15 9.8 Critical
Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint.
CVE-2024-52276 1 Docusign 1 Docusign 2026-04-15 7.5 High
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does not show the layer flattened version, which is provided when the "Print" option is used. 2. Displayed version does not show the layer flattened version, which is provided when the combined download option is used. 3. Displayed version does not show the layer flattened version, which is also the provided version when downloading the result in the uncombined option. Once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSign: through 2024-12-04.