Export limit exceeded: 351254 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 80847 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80847 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42431 | 1 Openclaw | 1 Openclaw | 2026-04-29 | 8.1 High |
| OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations. | ||||
| CVE-2026-42429 | 1 Openclaw | 1 Openclaw | 2026-04-29 | 7.1 High |
| OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations. | ||||
| CVE-2026-42422 | 1 Openclaw | 1 Openclaw | 2026-04-29 | 8.8 High |
| OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval. | ||||
| CVE-2026-4296 | 1 Github | 1 Enterprise Server | 2026-04-29 | 8.8 High |
| An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2026-4821 | 1 Github | 1 Enterprise Server | 2026-04-29 | 7.2 High |
| An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2025-14359 | 1 Wordpress | 1 Wordpress | 2026-04-29 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine allows PHP Local File Inclusion. This issue affects Oshine: from n/a before 7.3.0. | ||||
| CVE-2025-14821 | 2 Libssh, Redhat | 5 Libssh, Enterprise Linux, Hardened Images and 2 more | 2026-04-29 | 7.8 High |
| A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. | ||||
| CVE-2025-31420 | 1 Wordpress | 1 Wordpress | 2026-04-29 | 7.6 High |
| Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2. | ||||
| CVE-2023-41652 | 2 Carrcommunications, Davidfcarr | 2 Rsvpmaker, Rsvpmarker | 2026-04-29 | 8.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 10.6.6. | ||||
| CVE-2023-40215 | 1 Superwhite | 1 Demon Image Annotation | 2026-04-29 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Demonisblack demon image annotation allows SQL Injection.This issue affects demon image annotation: from n/a through 5.1. | ||||
| CVE-2023-40207 | 1 Rednao | 1 Donations Made Easy - Smart Donations | 2026-04-29 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedNao Donations Made Easy – Smart Donations allows SQL Injection.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12. | ||||
| CVE-2023-37966 | 1 Solwininfotech | 1 User Activity Log | 2026-04-29 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log user-activity-log allows SQL Injection.This issue affects User Activity Log: from n/a through 1.6.2. | ||||
| CVE-2023-28748 | 1 Appjetty | 1 Copy Or Move Comments | 2026-04-29 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in biztechc Copy or Move Comments allows SQL Injection.This issue affects Copy or Move Comments: from n/a through 5.0.4. | ||||
| CVE-2022-46849 | 1 Weblizar | 1 Responsive Coming Soon \& Maintenance Mode | 2026-04-29 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar Coming Soon Page – Responsive Coming Soon & Maintenance Mode allows SQL Injection.This issue affects Coming Soon Page – Responsive Coming Soon & Maintenance Mode: from n/a through 1.5.9. | ||||
| CVE-2025-67223 | 1 Arandasoft | 1 Aranda File Server | 2026-04-29 | 7.5 High |
| The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII. | ||||
| CVE-2026-41603 | 1 Apache | 1 Thrift | 2026-04-29 | 7.4 High |
| Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | ||||
| CVE-2026-7279 | 1 Empia Technology | 1 Avacast | 2026-04-29 | 7.8 High |
| AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL. | ||||
| CVE-2026-7272 | 1 Williamcloudqi | 1 Matlab-mcp-server | 2026-04-29 | 7.3 High |
| A flaw has been found in WilliamCloudQi matlab-mcp-server up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected element is the function generate_matlab_code/execute_matlab_code of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument scriptPath can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-7316 | 1 Eiliyaabedini | 1 Aider-mcp | 2026-04-29 | 7.3 High |
| A vulnerability has been found in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-63030 | 1 Wordpress | 1 Wordpress | 2026-04-29 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3. | ||||