Export limit exceeded: 367103 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 35583 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (5724 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-50870 2026-04-15 9.8 Critical
Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or permissions of the requesting user. This allows any authenticated or unauthenticated attacker to enumerate and retrieve sensitive student details by altering the email value in the request URL, leading to information disclosure.
CVE-2024-53494 2026-04-15 7.5 High
Incorrect access control in the preHandle function of SpringBootBlog v1.0.0 allows attackers to access sensitive components without authentication.
CVE-2025-10247 1 Jepaas 1 Jepaas 2026-04-15 6.3 Medium
A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-1646 2026-04-15 7.3 High
A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-45333 2026-04-15 7.3 High
Improper access control for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-57247 2026-04-15 9.1 Critical
The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base ERC20 contract are declared as public without proper access control modifiers, allowing any user to bypass transfer restrictions and manipulate special address settings. This enables unauthorized users to circumvent cold time transfer restrictions and potentially disrupt dividend distribution mechanisms, leading to privilege escalation and violation of the contract's intended tokenomics.
CVE-2025-45095 1 Lavasoft 2 Adaware, Web Companion 2026-04-15 7.3 High
Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path.
CVE-2024-38518 1 Bigbluebutton 1 Bigbluebutton 2026-04-15 4.6 Medium
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
CVE-2024-46627 1 Becn 1 Datagerry 2026-04-15 9.1 Critical
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
CVE-2025-23083 1 Redhat 2 Enterprise Linux, Rhel Eus 2026-04-15 N/A
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
CVE-2024-55954 1 Openobserve 1 Openobserve 2026-04-15 8.7 High
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2025-4281 2026-04-15 4.3 Medium
A vulnerability, which was classified as problematic, was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7. This affects an unknown part of the file /api/GylOperator/LoadData. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-25133 2026-04-15 8.8 High
A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.
CVE-2025-10371 2 Echarge, Hardy-barth 2 Salia Plcc, Cph2 Echarge 2026-04-15 7.3 High
A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-45982 1 Scheduler 1 Scheduler 2026-04-15 8.8 High
A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts.
CVE-2025-29556 1 Exagrid 1 Ex10 2026-04-15 7.3 High
ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval. However, a flaw in the account creation process allows an attacker to bypass these restrictions via API request manipulation. An attacker with an Admin access can intercept and modify the API request during user creation, altering the parameters to assign the new account to the ExaGrid Security Officers group without the required approval.
CVE-2025-0783 2026-04-15 6.3 Medium
A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
CVE-2025-3580 1 Grafana 1 Grafana 2026-04-15 5.5 Medium
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
CVE-2025-29557 2026-04-15 5.4 Medium
ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords.
CVE-2024-3765 2026-04-15 9.8 Critical
A vulnerability classified as critical was found in Xiongmai AHB7804R-MH-V2, AHB8004T-GL, AHB8008T-GL, AHB7004T-GS-V3, AHB7004T-MHV2, AHB8032F-LME and XM530_R80X30-PQ_8M. Affected by this vulnerability is an unknown functionality of the component Sofia Service. The manipulation with the input ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.