Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,525
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,821 - 20,840 of 40,198 CVEs
CVE-2026-33018 HIGH - 7.0

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() uncond...

Vendor: saitoha
Product: libsixel
Published: Apr 14, 2026
Source: NVD

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of t...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of t...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD
CVE-2026-27306 HIGH - 8.4

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim mu...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD
CVE-2026-27305 HIGH - 8.6

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and director...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD
CVE-2026-27304 CRITICAL - 9.3

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD
CVE-2026-27282 HIGH - 7.5

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user ...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD
CVE-2025-15565 MEDIUM - 5.3

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

Vendor: cartasi
Product: Nexi XPay
Published: Apr 14, 2026
Source: NVD

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/soci...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 14, 2026
Source: NVD
CVE-2026-34160 HIGH - 8.6

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 14, 2026
Source: NVD
CVE-2026-33715 HIGH - 7.2

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authenticati...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 14, 2026
Source: NVD

Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end par...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 14, 2026
Source: NVD
CVE-2026-27287 HIGH - 7.8

InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Expl...

Vendor: Adobe
Product: InCopy
Published: Apr 14, 2026
Source: NVD

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a c...

Vendor: octobercms
Product: october
Published: Apr 14, 2026
Source: NVD
CVE-2026-25125 MEDIUM - 4.9

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attacke...

Vendor: octobercms
Product: october
Published: Apr 14, 2026
Source: NVD
CVE-2026-24893 HIGH - 8.8

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the m...

Vendor: openITCOCKPIT
Product: openITCOCKPIT
Published: Apr 14, 2026
Source: NVD
CVE-2026-40683 HIGH - 7.7

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_e...

Vendor: OpenStack
Product: Keystone
Published: Apr 14, 2026
Source: NVD
CVE-2026-34630 HIGH - 7.8

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Bridge
Published: Apr 14, 2026
Source: NVD
CVE-2026-34618 HIGH - 7.8

Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Apr 14, 2026
Source: NVD
CVE-2026-27313 HIGH - 7.8

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Bridge
Published: Apr 14, 2026
Source: NVD