Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,646
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 20,541 - 20,560 of 40,623 CVEs
CVE-2026-6652 MEDIUM - 4.7

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote ex...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6651 LOW - 2.4

A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been releas...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6650 MEDIUM - 4.7

A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6066 HIGH - 7.1

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traf...

Vendor: connectwise
Product: automate
Published: Apr 20, 2026
Source: NVD
CVE-2026-41245 MEDIUM - 5.9

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the...

Vendor: junrar
Product: junrar
Published: Apr 20, 2026
Source: NVD
CVE-2026-40896 MEDIUM - 6.5

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target p...

Vendor: opf
Product: openproject
Published: Apr 20, 2026
Source: NVD

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proce...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39918 CRITICAL - 9.8

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the ...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34429 MEDIUM - 5.4

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a ...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34428 HIGH - 7.7

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbi...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-34427 HIGH - 8.8

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enab...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD
CVE-2026-26944 HIGH - 8.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially ex...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-25883 MEDIUM - 5.8

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the w...

Vendor: Vexa-ai
Product: vexa
Published: Apr 20, 2026
Source: NVD
CVE-2026-25058 HIGH - 7.5

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or ...

Vendor: Vexa-ai
Product: vexa
Published: Apr 20, 2026
Source: NVD
CVE-2026-24468 MEDIUM - 5.3

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. ...

Vendor: OpenAEV-Platform
Product: openaev
Published: Apr 20, 2026
Source: NVD
CVE-2026-24467 CRITICAL - 9.0

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliabl...

Vendor: OpenAEV-Platform
Product: openaev
Published: Apr 20, 2026
Source: NVD
CVE-2026-23774 HIGH - 7.2

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker wi...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-6649 MEDIUM - 6.3

A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the argument starts can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed...

Published: Apr 20, 2026
Source: NVD

An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. This vulnerability is expl...

Published: Apr 20, 2026
Source: NVD
CVE-2026-5760 CRITICAL - 9.8

SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().

Published: Apr 20, 2026
Source: NVD