Total
5054 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8025 | 1 Dinosoft Business Solutions | 1 Dinosoft Erp | 2026-04-15 | 9.8 Critical |
| Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-43626 | 1 Intel | 45 Atom C2308 Firmware, Atom C2316 Firmware, Atom C2338 Firmware and 42 more | 2026-04-15 | 7.5 High |
| Improper access control in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-51988 | 2026-04-15 | 6.5 Medium | ||
| RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the `configure` permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target virtual host & 3. HTTP API access. could delete queues it had no (deletion) permissions for. This issue has been addressed in version 3.12.11 of the open source rabbitMQ release and in versions 1.5.2, 3.13.0, and 4.0.0 of the tanzu release. Users are advised to upgrade. Users unable to upgrade may disable management plugin and use, for example, Prometheus and Grafana for monitoring. | ||||
| CVE-2024-39934 | 1 Robotmk | 1 Robotmk | 2026-04-15 | 7.8 High |
| Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment. | ||||
| CVE-2025-64483 | 1 Wazuh | 2 Wazuh, Wazuh-dashboard | 2026-04-15 | N/A |
| Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | ||||
| CVE-2024-33898 | 1 Axiros | 1 Axess | 2026-04-15 | 9.8 Critical |
| Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution. | ||||
| CVE-2025-2557 | 2026-04-15 | 5.5 Medium | ||
| A vulnerability, which was classified as critical, has been found in Audi UTR Dashcam 2.0. Affected by this issue is some unknown functionality of the component Command API. The manipulation leads to improper access controls. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. Upgrading to version 2.89 and 2.90 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers. | ||||
| CVE-2025-15426 | 2026-04-15 | 7.3 High | ||
| A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10371 | 2 Echarge, Hardy-barth | 2 Salia Plcc, Cph2 Echarge | 2026-04-15 | 7.3 High |
| A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-25683 | 2026-04-15 | 5.6 Medium | ||
| AlekSIS-Core is vulnerable to Incorrect Access Control. Unauthenticated users can access all PDF files. This affects AlekSIS-Core 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0 and 3.2.1. | ||||
| CVE-2025-20076 | 2026-04-15 | 5 Medium | ||
| Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | ||||
| CVE-2025-0783 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2024-4988 | 2026-04-15 | 7.5 High | ||
| The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage. | ||||
| CVE-2025-10247 | 1 Jepaas | 1 Jepaas | 2026-04-15 | 6.3 Medium |
| A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2021-47155 | 1 Perl | 1 Perl | 2026-04-15 | 9.1 Critical |
| The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | ||||
| CVE-2024-47910 | 1 Sonarsource | 1 Sonarqube | 2026-04-15 | 7.2 High |
| An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. | ||||
| CVE-2024-25133 | 2026-04-15 | 8.8 High | ||
| A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. | ||||
| CVE-2024-1678 | 2 Dunhakdis, Wordpress | 2 Subway-private Site Option, Wordpress | 2026-04-15 | 5.3 Medium |
| The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post content. | ||||
| CVE-2025-13804 | 1 Nutzam | 1 Nutzboot | 2026-04-15 | 4.3 Medium |
| A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2025-49603 | 2026-04-15 | 9.1 Critical | ||
| Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | ||||