Search Results (3569 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-27758 1 Rpyc Project 1 Rpyc 2026-04-15 8.4 High
In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
CVE-2024-1491 2026-04-15 7.5 High
The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
CVE-2025-36757 1 Solax 1 Solax Cloud 2026-04-15 N/A
It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system.
CVE-2025-36535 1 Automationdirect 1 Mb Gateway 2026-04-15 10 Critical
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
CVE-2025-32978 1 Quest 1 Kace Systems Management Appliance 2026-04-15 7.5 High
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service.
CVE-2025-58318 1 Delta Electronics 1 Diaview 2026-04-15 N/A
Delta Electronics DIAView has an authentication bypass vulnerability.
CVE-2025-41090 1 Ccn-cert 1 Microclaudia 2026-04-15 N/A
microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually. This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations.
CVE-2024-32720 2026-04-15 5.3 Medium
Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56.
CVE-2025-8450 1 Fortra 2 Filecatalyst Direct, Filecatalyst Workflow 2026-04-15 8.2 High
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
CVE-2024-3219 1 Python Software Foundation 1 Cpython 2026-04-15 N/A
The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
CVE-2025-14510 1 Abb 1 Ability Optimax 2026-04-15 8.1 High
Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120.
CVE-2025-10658 2 Supportcandy, Wordpress 2 Supportcandy, Wordpress 2026-04-15 6.5 Medium
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
CVE-2025-67780 1 Spacex 1 Starlink Dish 2026-04-15 4.2 Medium
SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish.
CVE-2025-6029 2026-04-15 N/A
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release.  CVE Record will be updated once this is clarified.
CVE-2025-34130 1 Tvt 1 Dvr Firmware 2026-04-15 N/A
An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows attackers to read sensitive configuration files, such as /zconf/service.xml, which can then be used to facilitate further attacks including command injection. The vulnerability has been exploited in the wild in conjunction with other issues by botnets like FBot and Moobot.
CVE-2024-21824 2026-04-15 5.3 Medium
Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative user. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
CVE-2025-14346 2026-04-15 9.8 Critical
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.
CVE-2025-1714 2026-04-15 N/A
Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to enumerate valid user emails and potentially DOS the server
CVE-2018-25141 1 Flir 2 Flir Ax8 Firmware, Thermal Traffic Cameras 2026-04-15 7.5 High
FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication.
CVE-2022-50979 2 Avibia, Innomic 20 Avibialine Avle1 Hd, Avibialine Avle2 Hd, Avibialine Avle4 Hd and 17 more 2026-04-15 6.5 Medium
An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485).