Search Results (365174 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-45288 1 Freebsd 1 Freebsd 2026-04-15 8.4 High
A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer.
CVE-2025-8306 2026-04-15 N/A
Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.  Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0
CVE-2024-24853 1 Intel 1 Processor 2026-04-15 7.2 High
Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-55078 2026-04-15 9.8 Critical
An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2025-8861 2026-04-15 9.8 Critical
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
CVE-2024-48290 1 Realtek 1 Rtl8762ekf-evb Firmware 2026-04-15 4.3 Medium
An issue in the Bluetooth Low Energy implementation of Realtek RTL8762E BLE SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ll_terminate_ind packet.
CVE-2024-4389 1 Averta 7 Add Image Slider, Carousel Slider, Coupon Popup and 4 more 2026-04-15 8.8 High
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadFile function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with contributor access or higher, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-4395 2026-04-15 7.8 High
The XPC service within the audit functionality of Jamf Compliance Editor before version 1.3.1 on macOS can lead to local privilege escalation.
CVE-2024-37492 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gutenberg Team Gutenberg allows Stored XSS.This issue affects Gutenberg: from n/a through 18.6.0.
CVE-2025-59052 1 Angular 1 Angular 2026-04-15 7.1 High
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
CVE-2024-48293 1 Quickheal Antivirus Pro 1 Quickheal Antivirus Pro 2026-04-15 6.5 Medium
Incorrect access control in QuickHeal Antivirus Pro 24.1.0.182 and earlier allows authenticated attackers with low-level privileges to arbitrarily modify antivirus settings.
CVE-2024-5804 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-32014 1 Siemens 1 Spectrum Power 4 2026-04-15 4.7 Medium
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to alter the local database which contains the application credentials. This allows an attacker to gain administrative application privileges.
CVE-2025-61736 1 Johnsoncontrols 5 Istar Edge, Istar Ultra, Istar Ultra Lt and 2 more 2026-04-15 N/A
Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.
CVE-2024-34406 2026-04-15 5.3 Medium
Improper exception handling in McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to cause a denial of service through the use of a malformed deep link.
CVE-2024-28126 2026-04-15 6.1 Medium
Cross-site scripting vulnerability exists in 0ch BBS Script ver.4.00. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using 0ch BBS Script ver.4.00.
CVE-2024-44067 1 Alibaba 2 T-head Xuantie C910, T-head Xuantie C920 2026-04-15 8.4 High
The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C920 CPU in the SOPHON SG2042 have instructions that allow unprivileged attackers to write to arbitrary physical memory locations, aka GhostWrite.
CVE-2024-48294 1 Wondershare Pdf Reader 1 Wondershare Pdf Reader 2026-04-15 5.5 Medium
A NULL pointer dereference in the component libPdfCore.dll of Wondershare PDF Reader v1.0.9.2544 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CVE-2024-12404 1 Wordpress 1 Wordpress 2026-04-15 7.5 High
The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'post_title' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-11955 2 Microsoft, Thegreenbow 6 Windows, Ipsec Vpn Client, Thegreenbow Vpn Client and 3 more 2026-04-15 N/A
Incorrect validation of OCSP certificates vulnerability in TheGreenBow VPN, versions 7.5 and 7.6. During the IKEv2 authentication step, the OCSP-enabled VPN client establishes the tunnel even if it does not receive an OCSP response or if the OCSP response signature is invalid.