Total
2191 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2165 | 1 Detronetdip | 1 E-commerce | 2026-04-18 | 7.3 High |
| A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-25848 | 1 Jetbrains | 1 Hub | 2026-04-18 | 9.1 Critical |
| In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible | ||||
| CVE-2026-25878 | 1 Friendsofshopware | 2 Froshadminer, Froshplatformadminer | 2026-04-18 | 5.3 Medium |
| FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1. | ||||
| CVE-2026-25938 | 1 Frangoteam | 1 Fuxa | 2026-04-18 | 9.8 Critical |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11. | ||||
| CVE-2026-2249 | 1 Metis Cyberspace Technology Sa | 1 Metis Dfs | 2026-04-18 | 9.8 Critical |
| METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services. | ||||
| CVE-2026-25084 | 1 Zlan Information Technology Co. | 1 Zlan5143d | 2026-04-18 | 9.8 Critical |
| Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs. | ||||
| CVE-2026-24789 | 1 Zlan Information Technology Co. | 1 Zlan5143d | 2026-04-18 | 9.8 Critical |
| An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication. | ||||
| CVE-2026-26048 | 1 Jinan Usr Iot Technology Limited (pusr) | 1 Usr-w610 | 2026-04-18 | 7.5 High |
| The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker can use this to cause unauthorized disruptions and create a denial-of-service condition. | ||||
| CVE-2026-27471 | 1 Frappe | 1 Erpnext | 2026-04-18 | 9.1 Critical |
| ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1. | ||||
| CVE-2026-3192 | 1 Chia | 1 Blockchain | 2026-04-18 | 5.6 Medium |
| A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | ||||
| CVE-2026-3194 | 1 Chia | 1 Blockchain | 2026-04-18 | 4.5 Medium |
| A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | ||||
| CVE-2026-33032 | 2 0xjacky, Nginxui | 2 Nginx-ui, Nginx Ui | 2026-04-18 | 9.8 Critical |
| Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-35546 | 2026-04-18 | 9.8 Critical | ||
| Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell. | ||||
| CVE-2026-21445 | 1 Langflow | 1 Langflow | 2026-04-18 | 9.1 Critical |
| Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch. | ||||
| CVE-2026-0625 | 2 D-link, Dlink | 9 Dsl-2640b, Dsl-2740r, Dsl-2780b and 6 more | 2026-04-18 | N/A |
| Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). | ||||
| CVE-2026-0650 | 1 Openflagr | 1 Flagr | 2026-04-18 | N/A |
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | ||||
| CVE-2026-0842 | 2026-04-18 | 6.3 Medium | ||
| A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-22788 | 1 Wem-project | 1 Wem | 2026-04-18 | 8.2 High |
| WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. | ||||
| CVE-2026-0492 | 1 Sap | 2 Hana, Hana Database | 2026-04-18 | 8.8 High |
| SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | ||||
| CVE-2026-22238 | 2 Bluspark Global, Blusparkglobal | 2 Bluvoyix, Bluvoyix | 2026-04-18 | 9.8 Critical |
| The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. | ||||