Total
4319 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-14034 | 1 Belden | 1 Hirschmann Hieos | 2026-04-03 | 9.8 Critical |
| Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests. Attackers can exploit improper authentication handling to obtain elevated privileges and perform unauthorized actions including configuration download or upload and firmware modification. | ||||
| CVE-2026-5320 | 1 Vanna-ai | 1 Vanna | 2026-04-03 | 7.3 High |
| A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-34072 | 1 Fccview | 1 Cronmaster | 2026-04-03 | 8.3 High |
| Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0. | ||||
| CVE-2026-34736 | 1 Openedx | 1 Openedx-platform | 2026-04-03 | 5.3 Medium |
| Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release. | ||||
| CVE-2026-34389 | 1 Fleetdm | 1 Fleet | 2026-04-03 | 6.5 Medium |
| Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue. | ||||
| CVE-2026-31946 | 2 Frentix, Openolat | 2 Openolat, Openolat | 2026-04-03 | 9.8 Critical |
| OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5. | ||||
| CVE-2025-71279 | 1 Xenforo | 1 Xenforo | 2026-04-02 | 9.8 Critical |
| XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication. | ||||
| CVE-2024-44202 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 5.3 Medium |
| An authentication issue was addressed with improved state management. This issue is fixed in Safari 18, iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication. | ||||
| CVE-2024-40794 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-04-02 | 5.3 Medium |
| This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication. | ||||
| CVE-2024-40778 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2026-04-02 | 3.3 Low |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2024-27867 | 1 Apple | 10 Airpods, Airpods Firmware, Airpods Max and 7 more | 2026-04-02 | 3.3 Low |
| An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones. | ||||
| CVE-2024-27835 | 1 Apple | 3 Ipad Os, Ipados, Iphone Os | 2026-04-02 | 2.4 Low |
| This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to an iOS device may be able to access notes from the lock screen. | ||||
| CVE-2024-23255 | 1 Apple | 5 Ios, Ipad Os, Ipados and 2 more | 2026-04-02 | 9.1 Critical |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2024-23251 | 1 Apple | 5 Ios, Ipados, Iphone Os and 2 more | 2026-04-02 | 4.6 Medium |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. An attacker with physical access may be able to leak Mail account credentials. | ||||
| CVE-2024-23219 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 6.2 Medium |
| The issue was addressed with improved authentication. This issue is fixed in iOS 17.3 and iPadOS 17.3. Stolen Device Protection may be unexpectedly disabled. | ||||
| CVE-2025-31271 | 1 Apple | 1 Macos | 2026-04-02 | 7.5 High |
| This issue was addressed through improved state management. This issue is fixed in macOS Tahoe 26. Incoming FaceTime calls can appear or be accepted on a locked macOS device, even with notifications disabled on the lock screen. | ||||
| CVE-2026-28838 | 1 Apple | 1 Macos | 2026-04-02 | 5.3 Medium |
| A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox. | ||||
| CVE-2025-43281 | 1 Apple | 2 Macos, Macos Sequoia | 2026-04-02 | 7.8 High |
| The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges. | ||||
| CVE-2024-44127 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | 5.3 Medium |
| This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication. | ||||
| CVE-2026-21004 | 1 Samsung | 1 Smart Switch | 2026-04-02 | 6.5 Medium |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to trigger a denial of service. | ||||