Export limit exceeded: 12153 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12153 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-50340 1 Sogo 1 Webmail 2026-04-15 4.3 Medium
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. NOTE: this is disputed by the Supplier because the only effective way to prevent this sender spoofing is on the SMTP server, not within a client such as SOGo.
CVE-2025-32942 1 Ssh 1 Tectia Server 2026-04-15 7.2 High
SSH Tectia Server before 6.6.6 sometimes allows attackers to read and alter a user's session traffic.
CVE-2024-9262 2026-04-15 6.5 Medium
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.
CVE-2025-46344 1 Auth0 1 Nextjs-auth0 2026-04-15 N/A
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.
CVE-2025-4407 2026-04-15 6.7 Medium
Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.
CVE-2025-25036 1 Jalios 1 Jcms 2026-04-15 6.8 Medium
Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).
CVE-2025-34226 1 Openplcproject 2 Openplc, Openplc V3 2026-04-15 N/A
OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09.
CVE-2025-24835 1 Intel 2 Arc B Graphics, Graphics Driver 2026-04-15 6.5 Medium
Protection mechanism failure in the Intel(R) Graphics Driver for the Intel(R) Arc(TM) B-Series graphics before version 32.0.101.6737 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-35968 1 Intel 1 Slim Bootloader 2026-04-15 6.4 Medium
Protection mechanism failure in the UEFI firmware for the Slim Bootloader within firmware may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2021-22501 2026-04-15 N/A
Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation.  The vulnerability could be exploited to confidential information This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.
CVE-2025-55345 1 Openai 1 Codex 2026-04-15 8.8 High
Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.
CVE-2023-53958 1 Ltb-project 1 Ldap Tool Box Self Service Password 2026-04-15 7.5 High
LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens.
CVE-2025-54568 2026-04-15 3.7 Low
Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node.
CVE-2024-35312 2026-04-15 6.2 Medium
In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003.
CVE-2025-11690 1 Cfmoto 1 Ride 2026-04-15 8.5 High
An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix.
CVE-2024-7409 1 Redhat 4 Advanced Virtualization, Enterprise Linux, Openshift and 1 more 2026-04-15 N/A
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
CVE-2024-12046 2026-04-15 4.3 Medium
The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.
CVE-2025-30075 2 Microsoft, Mindmanager 2 Windows, Mindmanager 2026-04-15 2.2 Low
In Alludo MindManager before 25.0.208 on Windows, attackers could potentially execute code as other local users on the same machine if they could write DLL files to directories within victims' DLL search paths.
CVE-2025-53535 1 Better-auth 1 Better Auth 2026-04-15 N/A
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
CVE-2024-11275 2026-04-15 4.3 Medium
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.