Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,623
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 20,721 - 20,740 of 40,623 CVEs
CVE-2026-40481 HIGH - 7.5

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memo...

Vendor: monetr
Product: monetr
Published: Apr 17, 2026
Source: NVD
CVE-2026-2434 MEDIUM - 6.4

The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Apr 17, 2026
Source: NVD

miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improp...

Published: Apr 17, 2026
Source: NVD

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU ...

Vendor: webonyx
Product: graphql-php
Published: Apr 17, 2026
Source: NVD
CVE-2026-40352 HIGH - 8.8

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-pr...

Vendor: labring
Product: FastGPT
Published: Apr 17, 2026
Source: NVD
CVE-2026-40351 CRITICAL - 9.8

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password f...

Vendor: labring
Product: FastGPT
Published: Apr 17, 2026
Source: NVD
CVE-2026-40321 HIGH - 8.0

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased...

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Apr 17, 2026
Source: NVD
CVE-2026-40306 MEDIUM - 6.5

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Apr 17, 2026
Source: NVD
CVE-2026-40305 MEDIUM - 4.3

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2....

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Apr 17, 2026
Source: NVD

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malfo...

Vendor: libcoap
Product: libcoap
Published: Apr 17, 2026
Source: NVD
CVE-2026-40931 HIGH - 8.4

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fail...

Vendor: npm
Product: compressing
Published: Apr 17, 2026
Source: GitHub
CVE-2026-40527 HIGH - 7.8

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute...

Vendor: radareorg
Product: radare2
Published: Apr 17, 2026
Source: NVD
CVE-2026-40301 MEDIUM - 4.7

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to...

Vendor: rhukster
Product: dom-sanitizer
Published: Apr 17, 2026
Source: NVD

next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-rela...

Vendor: amannn
Product: next-intl
Published: Apr 17, 2026
Source: NVD
CVE-2026-40293 MEDIUM - 6.5

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint....

Vendor: openfga
Product: openfga
Published: Apr 17, 2026
Source: NVD
CVE-2026-40286 HIGH - 7.5

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script ...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Apr 17, 2026
Source: NVD
CVE-2026-40285 HIGH - 8.8

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the atta...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Apr 17, 2026
Source: NVD
CVE-2026-40284 MEDIUM - 6.8

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch pa...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Apr 17, 2026
Source: NVD

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Apr 17, 2026
Source: NVD
CVE-2026-40196 HIGH - 8.1

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the ac...

Vendor: sysadminsmedia
Product: homebox
Published: Apr 17, 2026
Source: NVD