Search Results (367171 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-28109 2026-04-15 8.1 High
veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.
CVE-2024-2479 1 Mha Sistemas 1 Armhazena 2026-04-15 3.5 Low
A vulnerability classified as problematic has been found in MHA Sistemas arMHAzena 9.6.0.0. This affects an unknown part of the component Cadastro Page. The manipulation of the argument Query leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256887. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-24786 2 Golang, Redhat 24 Go, Acm, Ceph Storage and 21 more 2026-04-15 7.5 High
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2025-7071 2026-04-15 N/A
Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.
CVE-2024-24785 1 Redhat 18 Ceph Storage, Enterprise Linux, Kube Descheduler Operator and 15 more 2026-04-15 5.4 Medium
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2017-20201 2 Microsoft, Piriform 2 Windows, Ccleaner 2026-04-15 N/A
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.
CVE-2024-24784 2 Go Standard Library, Redhat 14 Net\/mail, Advanced Cluster Security, Ceph Storage and 11 more 2026-04-15 7.5 High
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2020-10369 2026-04-15 5.5 Medium
Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow inferences about memory content via a "Spectra" attack.
CVE-2025-8858 2026-04-15 7.5 High
Clinic Image System developed by Changing has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2017-20200 2026-04-15 3.7 Low
A vulnerability has been found in Coinomi up to 1.7.6. This issue affects some unknown processing. Such manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor replied with: "(...) there isn't any security implication associated with your findings."
CVE-2025-64389 1 Circutor 1 Tcprs1plus 2026-04-15 N/A
The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol.
CVE-2024-4363 2026-04-15 6.4 Medium
The Visual Portfolio, Photo Gallery & Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-28149 2026-04-15 6.1 Medium
An issue was discovered in the IhisiServiceSmm module in Insyde InsydeH2O with kernel 5.2 before 05.28.42, 5.3 before 05.37.42, 5.4 before 05.45.39, 5.5 before 05.53.39, and 5.6 before 05.60.39 that could allow an attacker to modify UEFI variables.
CVE-2024-43415 1 Decidim International Community Environment 1 Decidim-module-decidim Awesome 2026-04-15 9 Critical
An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands.
CVE-2024-43411 2026-04-15 3.1 Low
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.
CVE-2025-27714 2026-04-15 6.3 Medium
An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise.
CVE-2024-37468 1 Blazethemes 1 Newsmatic 2026-04-15 5.3 Medium
Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1.
CVE-2024-43326 1 Wordpress 1 Wordpress 2026-04-15 5.4 Medium
Missing Authorization vulnerability in Jamie Bergen Plugin Notes Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Plugin Notes Plus: from n/a through 1.2.7.
CVE-2024-4332 1 Fortra 1 Tripwire Enterprise 2026-04-15 N/A
An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.
CVE-2025-14116 1 Yuxi-know Project 1 Yuxi-know 2026-04-15 4.7 Medium
A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion).