Total CVEs

144,269

Critical Severity

4,162

High Severity

14,979

Last 7 Days

1,663
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 20,821 - 20,840 of 40,674 CVEs
CVE-2026-6437 MEDIUM - 6.5

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection. To remediate this issue, us...

Vendor: go
Product: github.com/kubernetes-sigs/aws-efs-csi-driver
Published: Apr 17, 2026
Source: NVD
CVE-2026-40525 CRITICAL - 9.1

OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke priv...

Vendor: volcengine
Product: OpenViking
Published: Apr 17, 2026
Source: NVD
CVE-2026-33337 HIGH - 7.5

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated bu...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-28224 HIGH - 8.2

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference an...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-28214 MEDIUM - 6.5

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges ...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-28212 HIGH - 7.5

Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference a...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-27890 HIGH - 8.2

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's g...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-5718 HIGH - 8.1

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangero...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5710 HIGH - 7.5

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for email attachment selec...

Published: Apr 17, 2026
Source: NVD
CVE-2025-65104 HIGH - 7.9

Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-40518 HIGH - 7.1

ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory creati...

Vendor: bytedance
Product: deer-flow
Published: Apr 17, 2026
Source: NVD
CVE-2026-40516 HIGH - 8.3

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an a...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 17, 2026
Source: NVD
CVE-2026-40515 HIGH - 7.5

OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properl...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 17, 2026
Source: NVD
CVE-2026-3464 HIGH - 8.8

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an admini...

Published: Apr 17, 2026
Source: NVD
CVE-2026-21733 HIGH - 7.3

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. This is caused by improper handling of GPU memory reservation protections.

Vendor: Imagination Technologies
Product: Graphics DDK
Published: Apr 17, 2026
Source: NVD
CVE-2026-6497 MEDIUM - 6.3

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request f...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6284 CRITICAL - 9.1

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.

Published: Apr 17, 2026
Source: NVD
CVE-2026-21709 MEDIUM - 6.7

A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.

Vendor: Veeam
Product: Backup and Replication, Software Appliance
Published: Apr 17, 2026
Source: NVD
CVE-2026-6496 MEDIUM - 5.4

A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been m...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6493 LOW - 3.5

A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site s...

Published: Apr 17, 2026
Source: NVD