Total
2194 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1491 | 2026-04-15 | 7.5 High | ||
| The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | ||||
| CVE-2025-49596 | 2026-04-15 | N/A | ||
| The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities. | ||||
| CVE-2025-30126 | 1 Marbella | 1 Kr8s Dashcam | 2026-04-15 | 5.3 Medium |
| An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the car from being used. During the process of changing these settings, there are no indications or sounds on the dashcam to alert the dashcam owner that someone else is making those changes. | ||||
| CVE-2025-10991 | 1 Tp-link | 3 Tapo, Tapo D230s1, Tp-link | 2026-04-15 | N/A |
| The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907. | ||||
| CVE-2012-10062 | 2 Apache Friends, Apachefriends | 2 Xampp, Xampp | 2026-04-15 | N/A |
| A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server. | ||||
| CVE-2025-27935 | 1 Pingidentity | 1 Pingfederate | 2026-04-15 | N/A |
| The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication. | ||||
| CVE-2025-8350 | 1 Inrove Software And Internet Services | 1 Bieticaret Cms | 2026-04-15 | 9.8 Critical |
| Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-51543 | 2026-04-15 | 9.8 Critical | ||
| An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint. | ||||
| CVE-2021-26278 | 2026-04-15 | 6.3 Medium | ||
| The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device. | ||||
| CVE-2019-25240 | 2026-04-15 | 9.8 Critical | ||
| Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication. | ||||
| CVE-2025-61673 | 1 Aiven | 2 Aiven, Karapace | 2026-04-15 | 8.6 High |
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2. | ||||
| CVE-2024-36457 | 1 Broadcom | 1 Symantec Privileged Access Management | 2026-04-15 | N/A |
| The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint. | ||||
| CVE-2018-25137 | 1 Flir | 1 Brickstream 3d+ | 2026-04-15 | 7.5 High |
| FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation. | ||||
| CVE-2026-22207 | 1 Volcengine | 1 Openviking | 2026-04-15 | 9.8 Critical |
| OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration. | ||||
| CVE-2024-2104 | 1 Jbl | 2 Live Pro 2 Tws, Tune Flex | 2026-04-15 | 8.8 High |
| Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | ||||
| CVE-2025-12003 | 1 Asus | 1 Router | 2026-04-15 | N/A |
| A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | ||||
| CVE-2024-55538 | 1 Acronis | 1 True Image | 2026-04-15 | N/A |
| Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736, Acronis True Image OEM (macOS) before build 42571, Acronis True Image OEM (Windows) before build 42575. | ||||
| CVE-2025-3759 | 2026-04-15 | N/A | ||
| Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-12484 | 2026-04-15 | 6.4 Medium | ||
| When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks. | ||||
| CVE-2025-48397 | 1 Eaton | 1 Brightlayer Software Suite | 2026-04-15 | 7.1 High |
| The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004). | ||||