Total
482 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31127 | 1 Zscaler | 1 Client Connector | 2026-04-15 | 7.3 High |
| An improper verification of a loaded library in Zscaler Client Connector on Mac < 4.2.0.241 may allow a local attacker to elevate their privileges. | ||||
| CVE-2019-25211 | 2 Gin-contrib, Redhat | 2 Cors, Rhmt | 2026-04-15 | 9.1 Critical |
| parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed. | ||||
| CVE-2025-42706 | 2 Crowdstrike, Microsoft | 2 Falcon, Windows | 2026-04-15 | 6.5 Medium |
| A logic error exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long Term Visibility (LTV) sensors. There is no indication of exploitation of these issues in the wild. Our threat hunting and intelligence teams are actively monitoring for exploitation and we maintain visibility into any such attempts. The Falcon sensor for Mac, the Falcon sensor for Linux and the Falcon sensor for Legacy Systems are not impacted by this. CrowdStrike was made aware of this issue through our HackerOne bug bounty program. It was discovered by Cong Cheng and responsibly disclosed. | ||||
| CVE-2024-44734 | 1 Mirotalk | 1 Mirotalk P2p | 2026-04-15 | 7.5 High |
| Incorrect access control in Mirotalk before commit 9de226 allows attackers to arbitrarily change usernames via sending a crafted roomAction request to the server. | ||||
| CVE-2021-47157 | 1 Kossy | 1 Kossy | 2026-04-15 | 9.8 Critical |
| The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling. | ||||
| CVE-2025-23117 | 2026-04-15 | 6.8 Medium | ||
| An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. | ||||
| CVE-2024-13068 | 1 Akinsoft | 1 Limondesk | 2026-04-15 | 7.3 High |
| Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing.This issue affects LimonDesk: from s1.02.14 before v1.02.17. | ||||
| CVE-2024-45354 | 2026-04-15 | 4.3 Medium | ||
| A code execution vulnerability exists in the Xiaomi shop applicationproduct. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code. | ||||
| CVE-2026-5876 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 6.5 Medium |
| Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-5899 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 6.1 Medium |
| Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5918 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5919 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 6.5 Medium |
| Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-14279 | 2 Lfprojects, Mlflow | 2 Mlflow, Mlflow | 2026-04-14 | N/A |
| MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | ||||
| CVE-2020-26143 | 4 Alfa, Arista, Redhat and 1 more | 13 Awus036h, Awus036h Firmware, C-65 and 10 more | 2026-04-14 | 6.5 Medium |
| An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. | ||||
| CVE-2020-26141 | 4 Alfa, Cisco, Redhat and 1 more | 191 Awus036h, Awus036h Firmware, Ip Conference Phone 8832 and 188 more | 2026-04-14 | 6.5 Medium |
| An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. | ||||
| CVE-2020-26140 | 6 Alfa, Arista, Cisco and 3 more | 389 Awus036h, Awus036h Firmware, C-100 and 386 more | 2026-04-14 | 6.5 Medium |
| An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. | ||||
| CVE-2025-9180 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-13 | 8.1 High |
| Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. | ||||
| CVE-2025-5263 | 2 Mozilla, Redhat | 7 Firefox, Enterprise Linux, Rhel Aus and 4 more | 2026-04-13 | 4.3 Medium |
| Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | ||||
| CVE-2025-3029 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2026-04-13 | 7.3 High |
| A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. | ||||
| CVE-2025-23109 | 1 Mozilla | 1 Firefox | 2026-04-13 | 6.5 Medium |
| Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134. | ||||