Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,998
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,641 - 20,660 of 41,119 CVEs
CVE-2026-41056 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41055 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal e...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40935 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined w...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40929 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40928 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A ...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40926 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints โ€” `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` โ€” enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body....

Published: Apr 21, 2026
Source: NVD
CVE-2026-6832 HIGH - 8.1

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated ...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6830 LOW - 3.3

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6829 MEDIUM - 6.3

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/st...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6799 MEDIUM - 6.3

A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The ...

Published: Apr 21, 2026
Source: NVD
CVE-2026-41527 MEDIUM - 6.9

KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.

Vendor: KDE
Product: Kleopatra
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnera...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. ...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every inco...

Vendor: datasharingframework, dev.dsf
Product: dsf, dsf-bpe-process-api-v2, dsf-bpe-server
Published: Apr 21, 2026
Source: NVD

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This ...

Vendor: datasharingframework, dev.dsf
Product: dsf, dsf-bpe-server, dsf-common-jetty, dsf-fhir-server
Published: Apr 21, 2026
Source: NVD
CVE-2026-40706 HIGH - 8.4

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when pr...

Vendor: Tuxera
Product: NTFS-3G
Published: Apr 21, 2026
Source: NVD
CVE-2026-1354 MEDIUM - 6.4

Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first ...

Published: Apr 21, 2026
Source: NVD