Search Results (351250 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-20461 1 Alecto 1 Ivm-100 Firmware 2026-04-15 9.8 Critical
An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side.
CVE-2019-20459 1 Epson 1 Xp-255 2026-04-15 8.4 High
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. With the SNMPv1 public community, all values can be read, and with the epson community, all the changeable values can be written/updated, as demonstrated by permanently disabling the network card or changing the DNS servers.
CVE-2019-20458 1 Epson 1 Xp-255 2026-04-15 8.8 High
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials.
CVE-2019-20457 1 Brother 1 Mfc-j491dw 2026-04-15 9.1 Critical
An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD5 hash of the password in hexadecimal. An attacker can easily derive the true MD5 hash from this, and use offline cracking attacks to obtain administrative access to the device.
CVE-2019-19751 1 Easymine 1 Easymine 2026-04-15 5.6 Medium
easyMINE before 2019-12-05 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io.
CVE-2020-37093 1 Netis-systems 1 Netis E1+ 2026-04-15 7.5 High
Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text.
CVE-2020-37087 1 Rubikon Teknoloji 1 Easy Transfer 2026-04-15 N/A
Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application.
CVE-2020-37081 1 Fishing Reservation System 1 Fishing Reservation System 2026-04-15 7.1 High
Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction.
CVE-2011-10034 1 Irai 1 Automgen 2026-04-15 N/A
AUTOMGEN versions up to and including 8.0.0.7 (also referenced as 8.022) contain a vulnerability in that project file handling frees an object and subsequently dereferences the stale pointer when processing certain malformed fields. The dangling-pointer use enables an attacker to influence an indirect call through attacker-controlled memory, resulting in denial-of-service. In some conditions, remote code execution may be possible.
CVE-2025-24508 2026-04-15 6.4 Medium
Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage
CVE-2023-46049 2026-04-15 5.3 Medium
LLVM 15.0.0 has a NULL pointer dereference in the parseOneMetadata() function via a crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto. NOTE: this is disputed because the relationship between pdflatex.fmt and any LLVM language front end is not explained, and because a crash of the llvm-lto application should be categorized as a usability problem.
CVE-2024-7894 1 Andreiigna 1 If Menu 2026-04-15 5.3 Medium
The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.
CVE-2020-37078 1 I-doit 1 I-doit 2026-04-15 8.8 High
i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem.
CVE-2020-36978 1 Froxlor 1 Froxlor 2026-04-15 6.4 Medium
Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules.
CVE-2020-36979 1 Atheros 1 Coex Service Application 2026-04-15 7.8 High
Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup.
CVE-2023-6544 1 Redhat 3 Build Keycloak, Red Hat Single Sign On, Rhosemc 2026-04-15 5.4 Medium
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.
CVE-2020-36981 1 Motorola-device-manager 1 Motorola Device Manager 2026-04-15 7.8 High
Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup.
CVE-2025-25333 2026-04-15 7.5 High
An issue in IKEA CN iOS 4.13.0 allows attackers to access sensitive user information via supplying a crafted link.
CVE-2020-36984 1 Epson 1 Senadb 2026-04-15 7.8 High
EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ to inject malicious executables that will run with LocalSystem permissions.
CVE-2025-12751 2 Elextensions, Wordpress 2 Wschat, Wordpress 2026-04-15 4.3 Medium
The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.