Total
322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50425 | 2026-04-23 | 6.5 Medium | ||
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roland Murg WP Booking System wp-booking-system.This issue affects WP Booking System: from n/a through <= 2.0.19.10. | ||||
| CVE-2024-49252 | 1 Teplitsa Of Social Technologies | 1 Leyka | 2026-04-23 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in VaultDweller Leyka leyka.This issue affects Leyka: from n/a through <= 3.31.6. | ||||
| CVE-2024-48024 | 1 Wordpress | 1 Wordpress | 2026-04-23 | 7.5 High |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Fahad Mahmood Keep Backup Daily keep-backup-daily allows Retrieve Embedded Sensitive Data.This issue affects Keep Backup Daily: from n/a through <= 2.1.3. | ||||
| CVE-2026-25344 | 2 Radiustheme, Wordpress | 2 Review Schema, Wordpress | 2026-04-23 | 6.5 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through <= 2.2.6. | ||||
| CVE-2026-41459 | 2026-04-23 | 5.3 Medium | ||
| Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php. | ||||
| CVE-2025-43406 | 1 Apple | 1 Macos | 2026-04-22 | 5.5 Medium |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | ||||
| CVE-2025-11710 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-04-20 | 9.8 Critical |
| A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. | ||||
| CVE-2025-3032 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-20 | 7.4 High |
| Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks. This vulnerability was fixed in Firefox 137 and Thunderbird 137. | ||||
| CVE-2026-22537 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-04-18 | N/A |
| The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker. | ||||
| CVE-2026-0853 | 2026-04-18 | 5.3 Medium | ||
| Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. | ||||
| CVE-2026-0494 | 1 Sap | 1 Fiori | 2026-04-18 | 4.3 Medium |
| Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | ||||
| CVE-2026-22915 | 2 Sick, Sick Ag | 3 Tdc-x401gl, Tdc-x401gl Firmware, Tdc-x401gl | 2026-04-18 | 4.3 Medium |
| An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | ||||
| CVE-2026-0798 | 1 Gitea | 1 Gitea | 2026-04-18 | 3.5 Low |
| Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | ||||
| CVE-2025-15623 | 1 Sparxsystems | 1 Sparx Pro Cloud Server | 2026-04-17 | N/A |
| Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations | ||||
| CVE-2026-25325 | 2 Rtcamp, Wordpress | 2 Rtmedia For Wordpress, Buddypress And Bbpress, Wordpress | 2026-04-17 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8. | ||||
| CVE-2026-24314 | 2 Sap, Sap Se | 3 S\/4hana Uiapfi70, S\/4hana Uis4h, S/4hana (manage Payment Media) | 2026-04-17 | 4.3 Medium |
| Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted. | ||||
| CVE-2026-27494 | 1 N8n | 1 N8n | 2026-04-17 | 9.9 Critical |
| n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. | ||||
| CVE-2026-34518 | 2 Aio-libs, Aiohttp | 2 Aiohttp, Aiohttp | 2026-04-17 | 5.3 Medium |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4. | ||||
| CVE-2026-33617 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-16 | 5.3 Medium |
| An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials. | ||||
| CVE-2026-24593 | 2 Strategy11, Wordpress | 2 Awp Classifieds, Wordpress | 2026-04-16 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data.This issue affects AWP Classifieds: from n/a through <= 4.4.3. | ||||