Export limit exceeded: 341156 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341156 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15587 | 2026-03-24 | N/A | ||
| Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0). | ||||
| CVE-2025-11500 | 2026-03-24 | N/A | ||
| Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0). | ||||
| CVE-2026-4232 | 2026-03-24 | 7.3 High | ||
| A vulnerability was determined in Tiandy Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4233 | 2026-03-24 | 4.3 Medium | ||
| A vulnerability was identified in ThingsGateway 12. This affects an unknown part of the file /api/file/download. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3021 | 1 Wakyma | 2 Wakyma, Wakyma Application Web | 2026-03-24 | 6.5 Medium |
| Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data. | ||||
| CVE-2026-3022 | 1 Wakyma | 2 Wakyma, Wakyma Application Web | 2026-03-24 | 6.5 Medium |
| Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports. | ||||
| CVE-2026-3023 | 1 Wakyma | 2 Wakyma, Wakyma Application Web | 2026-03-24 | 8.8 High |
| Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names. | ||||
| CVE-2026-3024 | 1 Wakyma | 2 Wakyma, Wakyma Application Web | 2026-03-24 | 5.4 Medium |
| Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey that would harm the entire veterinary team. At the same time, a user with low privileges could exploit this vulnerability to access unauthorized data and perform actions with elevated privileges. | ||||
| CVE-2026-4235 | 2026-03-24 | 7.3 High | ||
| A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-4236 | 2026-03-24 | 7.3 High | ||
| A security vulnerability has been detected in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=add. Such manipulation of the argument txtsearch/deptname/name leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-3476 | 2026-03-24 | 7.8 High | ||
| A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file. | ||||
| CVE-2026-25780 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-24 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581 | ||||
| CVE-2026-4239 | 1 Lagom | 1 Whmcs Template | 2026-03-24 | 3.5 Low |
| A vulnerability was found in Lagom WHMCS Template up to 2.3.7. Impacted is an unknown function of the component Datatables. The manipulation results in improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4240 | 1 Open5gs | 1 Open5gs | 2026-03-24 | 5.3 Medium |
| A vulnerability was determined in Open5GS up to 2.7.6. The affected element is the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b_aaa_cb/smf_s6b_sta_cb of the component CCA Handler. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.7.7 is sufficient to fix this issue. Patch name: 80eb484a6ab32968e755e628b70d1a9c64f012ec. Upgrading the affected component is recommended. | ||||
| CVE-2026-4241 | 1 Itsourcecode | 1 College Management System | 2026-03-24 | 6.3 Medium |
| A vulnerability was identified in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/time-table.php. Such manipulation of the argument course_code leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-25369 | 2 Flexmls, Wordpress | 2 Flexmls Idx, Wordpress | 2026-03-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls® IDX allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through 3.15.9. | ||||
| CVE-2025-52636 | 1 Hcltech | 1 Aion | 2026-03-24 | 1.8 Low |
| HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios. | ||||
| CVE-2025-52643 | 1 Hcltech | 1 Aion | 2026-03-24 | 4.7 Medium |
| HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files. | ||||
| CVE-2025-52644 | 1 Hcltech | 1 Aion | 2026-03-24 | 5.8 Medium |
| HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes. | ||||
| CVE-2026-4242 | 1 Babychakra | 1 Pregnancy & Parenting App | 2026-03-24 | 2.5 Low |
| A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the argument SEGMENT_WRITE_KEY results in unprotected storage of credentials. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||