Total
2225 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36874 | 1 Ace Security | 1 Wip-90113 Hd Camera | 2026-04-15 | N/A |
| ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | ||||
| CVE-2014-125126 | 2026-04-15 | N/A | ||
| An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application’s upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise. | ||||
| CVE-2014-125116 | 1 Hybridauth Social Login Project | 1 Hybridauth Social Login | 2026-04-15 | N/A |
| A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional. | ||||
| CVE-2024-10774 | 1 Sick | 2 Inspector61x Firmware, Inspector62x Firmware | 2026-04-15 | 7.3 High |
| Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication. | ||||
| CVE-2024-50589 | 1 Hasomed | 1 Elefant | 2026-04-15 | 7.5 High |
| An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). | ||||
| CVE-2017-20222 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2026-04-14 | 7.5 High |
| Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthenticated remote reboot vulnerability that allows attackers to trigger device reboot without authentication. Attackers can send POST requests to the lte.cgi endpoint with the Command=Reboot parameter to cause denial of service by forcing the router to restart. | ||||
| CVE-2026-22898 | 2 Qnap, Qnap Systems | 2 Qvr Pro, Qvr Pro | 2026-04-14 | 9.8 Critical |
| A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later | ||||
| CVE-2026-35053 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2026-04-14 | 9.8 Critical |
| OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42. | ||||
| CVE-2025-30650 | 1 Juniper Networks | 1 Junos Os | 2026-04-14 | 6.7 Medium |
| A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to Linux-based line cards as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, LC1105 This issue affects Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2. | ||||
| CVE-2026-23662 | 1 Microsoft | 1 Azure Iot Explorer | 2026-04-14 | 7.5 High |
| Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-4436 | 1 Gpl Odorizers | 4 Gpl750 (xl4), Gpl750 (xl4 Prime), Gpl Odorizers Gpl750 (xl7) and 1 more | 2026-04-14 | 8.6 High |
| A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line. | ||||
| CVE-2026-5724 | 1 Temporal | 1 Temporal | 2026-04-13 | N/A |
| The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected. | ||||
| CVE-2026-39848 | 1 10ij | 1 Dockyard | 2026-04-13 | 6.5 Medium |
| Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name=<container> or /apps/action.php?action=start&name=<container>, which starts or stops the target container. This vulnerability is fixed in 1.1.0. | ||||
| CVE-2026-33788 | 1 Juniper Networks | 1 Junos Os Evolved | 2026-04-13 | 7.8 High |
| A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device. A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component. This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO. | ||||
| CVE-2026-5777 | 1 Egate | 1 Atom 3x Projector | 2026-04-13 | N/A |
| This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device. | ||||
| CVE-2026-4810 | 1 Google Cloud | 1 Agent Development Kit (adk) | 2026-04-13 | N/A |
| A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This vulnerability was patched in versions 1.28.1 and 2.0.0a2. Customers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance. | ||||
| CVE-2026-32211 | 1 Microsoft | 1 Azure Web Apps | 2026-04-10 | 9.1 Critical |
| Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-34952 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-10 | 9.1 Critical |
| PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97. | ||||
| CVE-2019-25686 | 1 Coreftp | 1 Core Ftp | 2026-04-09 | 7.5 High |
| Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process. | ||||
| CVE-2018-25225 | 2 Sipp, Sipp Project | 2 Sipp, Sipp | 2026-04-09 | 8.4 High |
| SIPP 3.3 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious input in the configuration file. Attackers can craft a configuration file with oversized values that overflow a stack buffer, overwriting the return address and executing arbitrary code through return-oriented programming gadgets. | ||||