Total
5052 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39797 | 2026-04-15 | 6.5 Medium | ||
| Improper access control in some drivers for Intel(R) Ethernet Connection I219 Series before version 12.19.1.39 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2023-51786 | 1 Lustre | 1 Lustre | 2026-04-15 | 9.1 Critical |
| An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control. | ||||
| CVE-2023-30583 | 1 Nodejs | 1 Nodejs | 2026-04-15 | 7.5 High |
| fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2025-51627 | 2026-04-15 | 6.5 Medium | ||
| Incorrect access control in CaricaVerbale in Agenzia Impresa Eccobook v2.81.1 allows authenticated attackers with low-level access to escalate privileges to Administrator. | ||||
| CVE-2024-57360 | 1 Gnu | 1 Binutils | 2026-04-15 | 5.5 Medium |
| https://www.gnu.org/software/binutils/ nm >=2.43 is affected by: Incorrect Access Control. The type of exploitation is: local. The component is: `nm --without-symbol-version` function. | ||||
| CVE-2025-20341 | 1 Cisco | 2 Catalyst Center, Digital Network Architecture Center | 2026-04-15 | 8.8 High |
| A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | ||||
| CVE-2025-29270 | 1 Deep Sea Electronics | 1 Dse855 | 2026-04-15 | 10 Critical |
| Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device. | ||||
| CVE-2025-56406 | 2 Neo4j, Neo4j-contrib | 2 Neo4j, Mcp-neo4j | 2026-04-15 | 7.5 High |
| An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed). | ||||
| CVE-2024-33393 | 1 Spidernet-io | 1 Spiderpool | 2026-04-15 | 6.2 Medium |
| An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | ||||
| CVE-2022-23829 | 2026-04-15 | 8.2 High | ||
| A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections. | ||||
| CVE-2023-38296 | 1 Tcl | 1 30z Firmware | 2026-04-15 | 8 High |
| Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys) and TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys). This malicious app reads from the "persist.sys.tctPowerIccid" system property to indirectly obtain the ICCID. | ||||
| CVE-2025-23164 | 2026-04-15 | N/A | ||
| A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding livestream subsequent to such link becoming disabled. | ||||
| CVE-2024-21741 | 1 Gigadevice | 1 Gd32e103c8t6 | 2026-04-15 | 9.8 Critical |
| GigaDevice GD32E103C8T6 devices have Incorrect Access Control. | ||||
| CVE-2025-10847 | 1 Broadcom | 1 Unified Infrastructure Management | 2026-04-15 | N/A |
| DX Unified Infrastructure Management (Nimsoft/UIM) and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system. | ||||
| CVE-2024-12307 | 1 Unifiedtransform | 1 Unifiedtransform | 2026-04-15 | 4.3 Medium |
| A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available. | ||||
| CVE-2025-20099 | 1 Intel | 1 Rapid Storage Technology | 2026-04-15 | 6.7 Medium |
| Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-57155 | 1 Radar | 1 Radar | 2026-04-15 | 9.8 Critical |
| Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token. | ||||
| CVE-2023-52164 | 2026-04-15 | 5.1 Medium | ||
| access_device.cgi on Digiever DS-2105 Pro 3.1.0.71-11 devices allows arbitrary file read. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-31207 | 1 Vitejs | 1 Vite | 2026-04-15 | 5.9 Medium |
| Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. | ||||
| CVE-2024-12294 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts. | ||||