Search Results (7010 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-46964 1 Google 1 Android 2026-04-15 8.1 High
The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity component.
CVE-2024-39071 1 Fujiankelixun 1 Command And Dispatch Platform 2026-04-15 9.8 Critical
Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php.
CVE-2024-49214 1 Haproxy 1 Haproxy 2026-04-15 5.3 Medium
QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.
CVE-2024-51757 1 Capricorn86 1 Happy-dom 2026-04-15 N/A
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.
CVE-2025-2335 2026-04-15 3.5 Low
A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-24482 2026-04-15 N/A
A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.
CVE-2025-23292 1 Nvidia 1 License System 2026-04-15 4.6 Medium
NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to partial denial of service (UI component).
CVE-2025-2354 2026-04-15 4.3 Medium
A vulnerability has been found in VAM Virtual Airlines Manager 2.6.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vam/index.php. The manipulation of the argument registry_id/plane_icao/hub_id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-6726 2026-04-15 8.8 High
Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE).
CVE-2024-48818 2026-04-15 9.8 Critical
An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code.
CVE-2024-5651 1 Redhat 2 Workload Availability Far, Workload Availability Fence Agents Remediation 2026-04-15 8.8 High
A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting  --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges.
CVE-2025-67489 1 Vitejs 1 Plugin-rsc 2026-04-15 9.8 Critical
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
CVE-2024-10771 1 Sick 3 Inspector61x Firmware, Inspector62x Firmware, Tim3xx 2026-04-15 8.8 High
Due to missing input validation during one step of the firmware update process, the product is vulnerable to remote code execution. With network access and the user level ”Service”, an attacker can execute arbitrary system commands in the root user’s contexts.
CVE-2024-10262 2026-04-15 6.3 Medium
The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
CVE-2024-10315 2026-04-15 N/A
In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Alpha Inferno PVT LTD.
CVE-2025-25246 1 Netgear 2 Xr1000, Xr500 2026-04-15 8.1 High
NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.
CVE-2024-8002 1 Viwis 1 Lms 2026-04-15 4.3 Medium
A vulnerability has been found in VIWIS LMS 9.11 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component File Upload. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 9.12 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2025-67750 1 Flow-scanner 1 Lightning-flow-scanner 2026-04-15 8.4 High
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
CVE-2025-0219 2026-04-15 2.4 Low
A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01. Affected by this issue is some unknown functionality of the component Receiver Status Identity Tab. The manipulation of the argument System Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-0220 2026-04-15 2.4 Low
A vulnerability, which was classified as problematic, was found in Trimble SPS851 488.01. This affects an unknown part of the component Ethernet Configuration Menu. The manipulation of the argument Hostname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.