Search Results (363318 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-55346 1 Flowiseai 1 Flowise 2026-04-15 9.8 Critical
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
CVE-2024-51562 1 Freebsd 1 Freebsd 2026-04-15 6.5 Medium
The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.
CVE-2024-2912 1 Bentoml 1 Bentoml 2026-04-15 10 Critical
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.
CVE-2024-51563 1 Freebsd 1 Freebsd 2026-04-15 6.5 Medium
The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.
CVE-2025-4424 1 Insyde 1 Insydeh2o 2026-04-15 6 Medium
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability.  https://support.lenovo.com/us/en/product_security/home
CVE-2025-62487 2026-04-15 3.5 Low
On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the default authorization rules defined in the Auth Chooser configuration. On most environments, it is expected that the default authorization rules only add the Everyone group.
CVE-2024-0257 1 Robodk 1 Robodk 2026-04-15 3.3 Low
RoboDK v5.5.4 is vulnerable to heap-based buffer overflow while processing a specific project file. The resulting memory corruption may crash the application.
CVE-2025-0352 2026-04-15 7.5 High
Rapid Response Monitoring My Security Account App utilizes an API that could be exploited by an attacker to modify request data, potentially causing the API to return information about other users.
CVE-2025-66744 1 Yonyou 1 Yonbip 2026-04-15 7.5 High
In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system
CVE-2025-0355 2026-04-15 7.5 High
Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to get a Wi-Fi password via the network.
CVE-2025-0404 1 Liujianview 1 Gymxmjpa 2026-04-15 6.3 Medium
A vulnerability has been found in liujianview gymxmjpa 1.0 and classified as critical. This vulnerability affects the function CoachController of the file src/main/java/com/liujian/gymxmjpa/controller/CoachController.java. The manipulation of the argument coachName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-29150 1 Ale International 1 Alcatel-lucent Ale Deskphones 2026-04-15 8.8 High
An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of improper privilege management, an authenticated attacker is able to create symlinks to sensitive and protected data in locations that are used for debugging files. Given that the process of gathering debug logs is carried out with root privileges, any file referenced in the symlink is consequently written to the debug archive, thereby granting accessibility to the attacker.
CVE-2024-29167 2026-04-15 7.2 High
SVR-116 firmware version 1.6.0.30028871 allows a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.
CVE-2025-0455 1 Netvision 1 Airpass 2026-04-15 9.8 Critical
The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-0456 1 Netvision 1 Airpass 2026-04-15 9.8 Critical
The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.
CVE-2025-0459 1 Libretro 1 Retroarch 2026-04-15 5.3 Medium
A vulnerability, which was classified as problematic, has been found in libretro RetroArch up to 1.19.1 on Windows. Affected by this issue is some unknown functionality in the library profapi.dll of the component Startup. The manipulation leads to untrusted search path. An attack has to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-0507 2026-04-15 6.4 Medium
The Ticketmeo – Sell Tickets – Event Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-68873 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloédigital PRIMER by chloédigital primer-by-chloedigital allows Reflected XSS.This issue affects PRIMER by chloédigital: from n/a through <= 1.0.25.
CVE-2025-68874 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0.
CVE-2022-4979 1 Sitecore 4 Cms, Experience Platform, Managed Cloud and 1 more 2026-04-15 N/A
A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.