LiveActive security incident?Get immediate response
CVE archive

April 2023

Browse CVE records published in April 2023, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2304 matching CVEs · Page 1 of 47.

High · CVSS 8.6

CVE-2023-2378: Ubiquiti EdgeRouter X Web Management command injection

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown function of the component Web Management Interface. This manipulation of the argument suffix-rate-up causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.6

CVE-2023-2377: Ubiquiti EdgeRouter X Web Management command injection

A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The impacted element is an unknown function of the component Web Management Interface. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit is now public and may be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.6

CVE-2023-2376: Ubiquiti EdgeRouter X Web Management command injection

A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The affected element is an unknown function of the component Web Management Interface. The manipulation of the argument dpi leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. There are still doubts about whether this vulnerability truly exists. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.6

CVE-2023-2375: Ubiquiti EdgeRouter X Web Management command injection

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Impacted is an unknown function of the component Web Management Interface. Executing a manipulation of the argument src can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.6

CVE-2023-2374: Ubiquiti EdgeRouter X Web Management command injection

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This issue affects some unknown processing of the component Web Management Interface. Performing a manipulation of the argument ecn-down results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The existence of this vulnerability is still disputed at present. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.6

CVE-2023-2373: Ubiquiti EdgeRouter X Web Management command injection

A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This vulnerability affects unknown code of the component Web Management Interface. Such manipulation of the argument ecn-up leads to command injection. The attack may be performed from remote. The exploit is publicly available and might be used. The actual existence of this vulnerability is currently in question. The vendor position is that post-authentication issues are not accepted as vulnerabilities.

Published Apr 28, 2023 · Updated Jul 9, 2026

High · CVSS 8.4

CVE-2023-52070: JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int ind...

JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

Published Apr 10, 2024 · Updated Jul 9, 2026

Medium · CVSS 5.3

CVE-2023-0645: Out of Bounds read in libjxl

An out of bounds read exists in libjxl. An attacker using a specifically crafted file could cause an out of bounds read in the exif handler. We recommend upgrading to version 0.8.1 or past commit  https://github.com/libjxl/libjxl/pull/2101/commits/d95b050c1822a5b1ede9e0dc937e43fca1b10159 https://github.com/libjxl/libjxl/pull/2101/commits/d95b050c1822a5b1ede9e0dc937e43fca1b10159

Published Apr 11, 2023 · Updated Jun 29, 2026

Unknown · CVSS Not scored

CVE-2023-53034: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

In the Linux kernel, the following vulnerability has been resolved: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT.

Published Apr 16, 2025 · Updated Jun 11, 2026

Medium · CVSS 6

CVE-2023-6717: Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Published Apr 25, 2024 · Updated Jun 2, 2026

Low · CVSS 3.7

CVE-2023-21968: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component...

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Published Apr 18, 2023 · Updated May 28, 2026

Medium · CVSS 6.1

CVE-2023-54364: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter

Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.

Published Apr 9, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-54363: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters

Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.

Published Apr 9, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-54362: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword

Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials.

Published Apr 9, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-54361: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword

Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials.

Published Apr 9, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-54360: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter

Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft.

Published Apr 9, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-54358: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.

Published Apr 9, 2026 · Updated May 24, 2026

Critical · CVSS 9.8

CVE-2023-1723: SQLi in Veragroup Mobile Assistant

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veragroup Mobile Assistant allows SQL Injection. This issue affects Mobile Assistant: before 21.S.2343.

Published Apr 17, 2023 · Updated May 22, 2026

Medium · CVSS 5.4

CVE-2023-1726: XSS in Proliz OBS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proliz OBS allows Stored XSS for an authenticated user. This issue affects OBS: before 23.04.01.

Published Apr 7, 2023 · Updated May 22, 2026

Critical · CVSS 9.8

CVE-2023-1765: SQLi in Panon

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection. This issue affects Panon: before 1.0.2.

Published Apr 3, 2023 · Updated May 22, 2026

Medium · CVSS 6.1

CVE-2023-1766: XSS in Panon

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Akbim Computer Panon allows Reflected XSS. This issue affects Panon: before 1.0.2.

Published Apr 3, 2023 · Updated May 22, 2026

Critical · CVSS 9.8

CVE-2023-1803: Authentication Bypass in Redline Router

Authentication Bypass by Alternate Name vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue affects Redline Router: before 7.17.

Published Apr 14, 2023 · Updated May 22, 2026

High · CVSS 8.8

CVE-2023-6523: IDOR in ExtremePacs's Extreme XDS

Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse. This issue affects Extreme XDS: before 3914.

Published Apr 5, 2024 · Updated May 20, 2026

High · CVSS 8.5

CVE-2023-7343: Belden Industrial HiVision Arbitrary Code Execution via Malicious Project File

HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.

Published Apr 2, 2026 · Updated May 14, 2026

High · CVSS 8.8

CVE-2023-7342: Belden HiSecOS Web Server Privilege Escalation

HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.

Published Apr 2, 2026 · Updated May 14, 2026

Medium · CVSS 5.3

CVE-2023-27043: The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special charac...

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Published Apr 18, 2023 · Updated May 12, 2026

Medium · CVSS 5.9

CVE-2023-6237: Excessive time spent checking invalid RSA public keys

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Published Apr 25, 2024 · Updated May 12, 2026