Total
2226 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21846 | 2026-04-15 | 5.3 Medium | ||
| An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario. | ||||
| CVE-2024-42017 | 2026-04-15 | 10 Critical | ||
| An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication. | ||||
| CVE-2025-13607 | 1 D-link | 1 Dcs-f5614-l1 | 2026-04-15 | 9.4 Critical |
| A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. | ||||
| CVE-2020-37157 | 1 Dbpower | 1 C300 Hd Camera | 2026-04-15 | 7.5 High |
| DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | ||||
| CVE-2024-13173 | 2026-04-15 | 7.5 High | ||
| The health module has insufficient restrictions on loading URLs, which may lead to some information leakage. | ||||
| CVE-2024-10776 | 1 Sick | 2 Inspector61x Firmware, Inspector62x Firmware | 2026-04-15 | 8.2 High |
| Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer. | ||||
| CVE-2024-47865 | 1 Rakuten | 1 Turbo 5g Firmware | 2026-04-15 | 5.3 Medium |
| Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device. | ||||
| CVE-2014-125124 | 3 Artica, Pandora Fms, Pandorafms | 4 Pandora Fms, Pandora Fms, Artica Pandora Fms and 1 more | 2026-04-15 | N/A |
| An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials. | ||||
| CVE-2025-4560 | 2026-04-15 | 6.5 Medium | ||
| The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. These functions include viewing the administrator list, viewing and editing IP settings, and uploading files. | ||||
| CVE-2023-5935 | 2026-04-15 | 7.4 High | ||
| When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed. | ||||
| CVE-2025-41656 | 1 Nodered | 1 Node-red | 2026-04-15 | 10 Critical |
| An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | ||||
| CVE-2020-12484 | 2026-04-15 | 6.4 Medium | ||
| When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks. | ||||
| CVE-2019-25248 | 2026-04-15 | 7.5 High | ||
| Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism. | ||||
| CVE-2024-48775 | 1 Starvedia | 1 Ezset Firmware | 2026-04-15 | 7.5 High |
| An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2023-6215 | 1 Hp | 2 Hp, Sure Start Ifd Protection | 2026-04-15 | N/A |
| A potential security vulnerability has been identified in HP Sure Start’s protection of the Intel Flash Descriptor in certain HP PC products, which might allow security bypass, arbitrary code execution, loss of integrity or confidentiality, or denial of service. HP is releasing BIOS updates to mitigate the potential vulnerability. | ||||
| CVE-2024-57725 | 2026-04-15 | 6.5 Medium | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | ||||
| CVE-2025-30048 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication. | ||||
| CVE-2018-25140 | 1 Flir | 1 Thermal Traffic Cameras | 2026-04-15 | 7.5 High |
| FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication. | ||||
| CVE-2025-4557 | 2026-04-15 | 9.1 Critical | ||
| The specific APIs of Parking Management System from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific APIs and operate system functions. These functions include opening gates and restarting the system. | ||||
| CVE-2025-34101 | 1 Plex | 1 Media Server Firmware | 2026-04-15 | N/A |
| An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls. | ||||