Total
227 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-0456 | 1 Gitlab | 1 Gitlab | 2026-04-19 | 4.3 Medium |
| An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project | ||||
| CVE-2026-0790 | 2 Algo, Algosolutions | 3 8180 Ip Audio Alerter, 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-04-18 | 7.5 High |
| ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | ||||
| CVE-2026-1978 | 1 Kalyan02 | 1 Nanocms | 2026-04-18 | 5.3 Medium |
| A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | ||||
| CVE-2026-0650 | 1 Openflagr | 1 Flagr | 2026-04-18 | N/A |
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | ||||
| CVE-2024-58343 | 1 Vision | 1 Helpdesk | 2026-04-17 | 4.3 Medium |
| Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | ||||
| CVE-2026-22732 | 2 Spring, Vmware | 2 Spring Security, Spring Security | 2026-04-16 | 9.1 Critical |
| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. | ||||
| CVE-2005-1697 | 1 Postnuke | 1 Postnuke | 2026-04-16 | N/A |
| The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote attackers to obtain sensitive information via a direct request to simple_smarty.php, which reveals the path in an error message. | ||||
| CVE-2004-2257 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-04-16 | 5.3 Medium |
| phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request. | ||||
| CVE-2004-2144 | 1 Baalsystems | 1 Baal Smart Forms | 2026-04-16 | N/A |
| Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php. | ||||
| CVE-2002-1798 | 1 Midicart | 3 Midicart Php, Midicart Php Maxi, Midicart Php Plus | 2026-04-16 | 9.1 Critical |
| MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | ||||
| CVE-2005-1685 | 1 Episodex | 1 Episodex Guestbook | 2026-04-16 | N/A |
| episodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp. | ||||
| CVE-2005-1654 | 1 Hostingcontroller | 1 Hosting Controller | 2026-04-16 | N/A |
| Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set. | ||||
| CVE-2005-1827 | 1 Dlink | 2 Dsl-504t, Dsl-504t Firmware | 2026-04-16 | N/A |
| D-Link DSL-504T allows remote attackers to bypass authentication and gain privileges, such as upgrade firmware, restart the router or restore a saved configuration, via a direct request to firmwarecfg. | ||||
| CVE-2005-1688 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 5.3 Medium |
| Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. | ||||
| CVE-2005-1668 | 1 Yusasp | 1 Web Asset Manager | 2026-04-16 | N/A |
| YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp. | ||||
| CVE-2005-1892 | 1 Flatnuke | 1 Flatnuke | 2026-04-16 | N/A |
| FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message. | ||||
| CVE-2005-1698 | 1 Postnuke | 1 Postnuke | 2026-04-16 | N/A |
| PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitive information via a direct request to (1) theme.php or (2) Xanthia.php in the Xanthia module, (3) user.php, (4) thelang.php, (5) text.php, (6) html.php, (7) menu.php, (8) finclude.php, or (9) button.php in the pnblocks directory in the Blocks module, (10) config.php in the NS-Multisites (aka Multisites) module, or (11) xmlrpc.php, which reveals the path in an error message. | ||||
| CVE-2025-48205 | 1 Typo3 | 1 Sr Feuser Register Extension | 2026-04-15 | 8.6 High |
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | ||||
| CVE-2025-10287 | 1 Roncoo | 1 Roncoo-pay | 2026-04-15 | 3.1 Low |
| A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-48201 | 2026-04-15 | 8.6 High | ||
| The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | ||||