Search Results (366256 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-23589 2026-04-15 6.8 Medium
Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs
CVE-2025-10460 1 Beims 1 Contractorweb.net 2026-04-15 N/A
A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input validation on /BEIMSWeb/contractor.asp endpoint and successful exploitation requires a contractor.asp endpoint open to the internet. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity and potentially the availability of the database.  Version 5.7.139  has been confirmed as vulnerable. Other versions have not been confirmed by the vendor and users should assume that all versions of BEIMS Contractor Web may be impacted until further guidance is provided by the vendor.
CVE-2024-32394 1 Ruijie 1 Rg-rsr10-01g-t\(wa\)-s 2026-04-15 8.8 High
An issue in ruijie.com/cn RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 and RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 allows a remote attacker to execute arbitrary code via a crafted HTTP request.
CVE-2024-23580 1 Hcl Software 1 Dryice Optibot Reset Station 2026-04-15 6.5 Medium
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.
CVE-2024-23579 1 Hcl Software 1 Dryice Optibot Reset Station 2026-04-15 6.5 Medium
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.
CVE-2025-9193 2026-04-15 3.5 Low
A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that "[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs." This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-9190 2 Apple, Cursor 2 Macos, Cursor 2026-04-15 N/A
The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model.
CVE-2024-52283 2026-04-15 5.7 Medium
Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project
CVE-2024-23485 2026-04-15 4.6 Medium
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation (CWE-1304) in the Controller 6000 and 7000 can lead to secured door locks connected via Aperio Communication Hubs to momentarily allow free access.  This issue affects: Gallagher Controller 6000 and 7000 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)),  8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.
CVE-2024-2327 2026-04-15 6.4 Medium
The Global Elementor Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link URL in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-52271 1 Documenso 1 Documenso 2026-04-15 N/A
User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects Documenso: through 1.8.0, >1.8.0 and Documenso SaaS (Hosted) as of 2024-12-05.
CVE-2024-23079 2026-04-15 6.2 Medium
JGraphT Core v1.5.2 was discovered to contain a NullPointerException via the component org.jgrapht.alg.util.ToleranceDoubleComparator::compare(Double, Double). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CVE-2024-52269 1 Docusign 1 Docusign 2026-04-15 8.1 High
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. The SaaS AI assistant ignores hidden content that is rendered after signing, misleading the user. For reference see: CVE-2024-52276 This issue affects DocuSign: through 2024-12-04.
CVE-2024-2303 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Easy Textillate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'textillate' shortcode in all versions up to, and including, 2.01 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5223 2026-04-15 6.4 Medium
The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploading feature in all versions up to, and including, 4.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-20065 2 Intel, Microsoft 2 Display Virtualization, Windows 2026-04-15 6.7 Medium
Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2024-7755 2026-04-15 8.2 High
The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.
CVE-2025-9162 1 Redhat 1 Build Keycloak 2026-04-15 4.9 Medium
A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.
CVE-2025-9157 1 Appneta 1 Tcpreplay 2026-04-15 5.3 Medium
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue.
CVE-2025-4690 1 Angularjs 1 Angularjs 2026-04-15 4.3 Medium
A regular expression used by AngularJS'  linky https://docs.angularjs.org/api/ngSanitize/filter/linky  filter to detect URLs in input text is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can cause a Regular expression Denial of Service (ReDoS) https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS  attack on the application. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .