Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,441
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 20,161 - 20,180 of 40,240 CVEs
CVE-2026-6066 HIGH - 7.1

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traf...

Vendor: connectwise
Product: automate
Published: Apr 20, 2026
Source: NVD
CVE-2026-41245 MEDIUM - 5.9

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the...

Vendor: junrar
Product: junrar
Published: Apr 20, 2026
Source: NVD
CVE-2026-40896 MEDIUM - 6.5

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target p...

Vendor: opf
Product: openproject
Published: Apr 20, 2026
Source: NVD

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proce...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39918 CRITICAL - 9.8

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the ...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34429 MEDIUM - 5.4

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a ...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34428 HIGH - 7.7

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbi...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34427 HIGH - 8.8

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enab...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-26944 HIGH - 8.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially ex...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-25883 MEDIUM - 5.8

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the w...

Vendor: Vexa-ai
Product: vexa
Published: Apr 20, 2026
Source: NVD
CVE-2026-25058 HIGH - 7.5

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or ...

Vendor: Vexa-ai
Product: vexa
Published: Apr 20, 2026
Source: NVD
CVE-2026-24468 MEDIUM - 5.3

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. ...

Vendor: OpenAEV-Platform
Product: openaev
Published: Apr 20, 2026
Source: NVD
CVE-2026-24467 CRITICAL - 9.0

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliabl...

Vendor: OpenAEV-Platform
Product: openaev
Published: Apr 20, 2026
Source: NVD
CVE-2026-23774 HIGH - 7.2

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker wi...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-6649 MEDIUM - 6.3

A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the argument starts can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed...

Published: Apr 20, 2026
Source: NVD

An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. This vulnerability is expl...

Published: Apr 20, 2026
Source: NVD
CVE-2026-5760 CRITICAL - 9.8

SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().

Published: Apr 20, 2026
Source: NVD
CVE-2026-4048 HIGH - 8.4

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

Published: Apr 20, 2026
Source: NVD
CVE-2026-3519 HIGH - 8.4

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

Published: Apr 20, 2026
Source: NVD
CVE-2026-3518 HIGH - 8.4

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

Published: Apr 20, 2026
Source: NVD