Search Results (366895 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-57076 2026-04-15 7.5 High
A prototype pollution in the lib.post function of ajax-request v1.2.3 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-49400 1 Facebook 1 Tacquito 2026-04-15 9.8 Critical
Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed.
CVE-2024-25656 1 Avsystem 1 Unified Management Platform 2026-04-15 5.9 Medium
Improper input validation in AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS can result in unauthenticated CPE (Customer Premises Equipment) devices storing arbitrarily large amounts of data during registration. This can potentially lead to DDoS attacks on the application database and, ultimately, affect the entire product.
CVE-2024-49397 1 Elvaco 1 Cme3100 Firmware 2026-04-15 N/A
The affected product is vulnerable to a cross-site scripting attack which may allow an attacker to bypass authentication and takeover admin accounts.
CVE-2024-49396 1 Elvaco 1 Cme3100 Firmware 2026-04-15 N/A
The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information.
CVE-2024-49379 1 Umbrel 1 Umbrel 2026-04-15 N/A
Umbrel is a home server OS for self-hosting. The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter the attacker provided JavaScript will be executed after the user entered their password and clicked on login. This vulnerability is fixed in 1.2.2.
CVE-2024-48790 1 Ilife 1 Com Ilife Home Global 2026-04-15 5.3 Medium
An issue in ILIFE com.ilife.home.global 1.8.7 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2024-27363 2026-04-15 6 Medium
A vulnerability was discovered in Samsung Mobile Processor Exynos 850, Exynos 9610, Exynos 980, Exynos 1280, Exynos 1380, Exynos 1330, Exynos W920, and Exynos W930 where it does not properly check a pointer address, which can lead to a Information disclosure.
CVE-2024-13957 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2026-04-15 7.6 High
SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
CVE-2024-48793 1 Inatronic 1 Drivedeck 2026-04-15 5.9 Medium
An issue in INATRONIC com.inatronic.bmw 2.7.1 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2023-50923 2026-04-15 4.3 Medium
In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) does not strictly constrain the bit value when the feature is disabled, which might allow remote attackers to construct a covert channel with data represented as changes to the bit value. NOTE: The "Sheridan, S., Keane, A. (2015). In Proceedings of the 14th European Conference on Cyber Warfare and Security (ECCWS), University of Hertfordshire, Hatfield, UK." paper says "Modern Internet communication protocols provide an almost infinite number of ways in which data can be hidden or embed whithin seemingly normal network traffic."
CVE-2024-13958 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2026-04-15 4.8 Medium
Stored Cross Site Scripting vulnerabilities exist in ASPECT if administrator creden-tials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
CVE-2024-48795 1 Creative Labs Pte Ltd 1 Com Creative Apps Xficonnect 2026-04-15 5.3 Medium
An issue in Creative Labs Pte Ltd com.creative.apps.xficonnect 2.00.02 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2024-48796 1 Eques 1 Eques 2026-04-15 7.5 High
An issue in EQUES com.eques.plug 1.0.1 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2024-56964 2026-04-15 6.5 Medium
An issue in Che Hao Duo Used Automobile Agency (Beijing) Co., Ltd Guazi Used Car iOS 10.15.1 allows attackers to access sensitive user information via supplying a crafted link.
CVE-2024-48813 1 Employee Management System Project 1 Employee Management System 2026-04-15 8.8 High
SQL injection vulnerability in employee-management-system-php-and-mysql-free-download.html taskmatic 1.0 allows a remote attacker to execute arbitrary code via the admin_id parameter of the /update-employee.php component.
CVE-2024-48822 1 Automatic Systems 1 Maintenance Slimlane 2026-04-15 8.8 High
Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page.
CVE-2024-48853 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2026-04-15 9 Critical
An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVE-2024-48915 1 Astroxnetwork 1 Agent Dart 2026-04-15 N/A
Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification.
CVE-2024-13811 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site.