Total
2225 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2567 | 2026-04-15 | 9.8 Critical | ||
| An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. | ||||
| CVE-2022-43110 | 1 Voltronicpower | 1 Viewpower | 2026-04-15 | 9.8 Critical |
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | ||||
| CVE-2020-37157 | 1 Dbpower | 1 C300 Hd Camera | 2026-04-15 | 7.5 High |
| DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | ||||
| CVE-2024-45438 | 2026-04-15 | 9.1 Critical | ||
| An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication. | ||||
| CVE-2025-61673 | 1 Aiven | 2 Aiven, Karapace | 2026-04-15 | 8.6 High |
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2. | ||||
| CVE-2025-30041 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs. | ||||
| CVE-2025-14058 | 1 Lenovo | 31 Idea Tab Pro Tb373fu, Idea Tab Tb336fu, Legion Tab Tb320fc and 28 more | 2026-04-15 | 3.2 Low |
| A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | ||||
| CVE-2024-45229 | 1 Versa | 1 Director | 2026-04-15 | N/A |
| The Versa Director offers REST APIs for orchestration and management. By design, certain APIs, such as the login screen, banner display, and device registration, do not require authentication. However, it was discovered that for Directors directly connected to the Internet, one of these APIs can be exploited by injecting invalid arguments into a GET request, potentially exposing the authentication tokens of other currently logged-in users. These tokens can then be used to invoke additional APIs on port 9183. This exploit does not disclose any username or password information. Currently, there are no workarounds in Versa Director. However, if there is Web Application Firewall (WAF) or API Gateway fronting the Versa Director, it can be used to block access to the URLs of vulnerable API. /vnms/devicereg/device/* (on ports 9182 & 9183) and /versa/vnms/devicereg/device/* (on port 443). Versa recommends that Directors be upgraded to one of the remediated software versions. This vulnerability is not exploitable on Versa Directors not exposed to the Internet.We have validated that no Versa-hosted head ends have been affected by this vulnerability. Please contact Versa Technical Support or Versa account team for any further assistance. | ||||
| CVE-2025-64307 | 1 Brightpick Ai | 1 Internal Logic Control | 2026-04-15 | 6.5 Medium |
| The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes. | ||||
| CVE-2025-41655 | 2026-04-15 | 7.5 High | ||
| An unauthenticated remote attacker can access a URL which causes the device to reboot. | ||||
| CVE-2025-41703 | 1 Phoenix Contact | 4 Quint4-ups/24dc/24dc/10/eip, Quint4-ups/24dc/24dc/20/eip, Quint4-ups/24dc/24dc/40/eip and 1 more | 2026-04-15 | 7.5 High |
| An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command. | ||||
| CVE-2025-30126 | 1 Marbella | 1 Kr8s Dashcam | 2026-04-15 | 5.3 Medium |
| An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the car from being used. During the process of changing these settings, there are no indications or sounds on the dashcam to alert the dashcam owner that someone else is making those changes. | ||||
| CVE-2025-34100 | 2026-04-15 | N/A | ||
| An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngineās improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution. | ||||
| CVE-2025-30410 | 1 Acronis | 3 Acronis Cyber Protect 15, Acronis Cyber Protect 16, Cyber Protect Cloud Agent | 2026-04-15 | N/A |
| Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 41800. | ||||
| CVE-2025-41716 | 1 Wago | 1 Solution Builder | 2026-04-15 | 5.3 Medium |
| The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | ||||
| CVE-2024-10776 | 1 Sick | 2 Inspector61x Firmware, Inspector62x Firmware | 2026-04-15 | 8.2 High |
| Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer. | ||||
| CVE-2022-50979 | 2 Avibia, Innomic | 20 Avibialine Avle1 Hd, Avibialine Avle2 Hd, Avibialine Avle4 Hd and 17 more | 2026-04-15 | 6.5 Medium |
| An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | ||||
| CVE-2025-13607 | 1 D-link | 1 Dcs-f5614-l1 | 2026-04-15 | 9.4 Critical |
| A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. | ||||
| CVE-2024-53623 | 1 Tp-link | 1 Archer C7 Firmware | 2026-04-15 | 7.5 High |
| Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. | ||||
| CVE-2020-36873 | 1 Astak | 1 Cm-818t3 | 2026-04-15 | N/A |
| Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | ||||