Total CVEs

144,278

Critical Severity

4,164

High Severity

14,985

Last 7 Days

1,648
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,921 - 20,940 of 40,683 CVEs
CVE-2026-40897 HIGH - 8.8

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs ...

Vendor: npm
Product: mathjs
Published: Apr 16, 2026
Source: GitHub
CVE-2026-41113 HIGH - 8.1

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Vendor: sagredo
Product: qmail
Published: Apr 16, 2026
Source: NVD

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site...

Vendor: joedolson
Product: my-calendar
Published: Apr 16, 2026
Source: NVD
CVE-2026-40170 HIGH - 7.5

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transpo...

Vendor: ngtcp2
Product: ngtcp2
Published: Apr 16, 2026
Source: NVD

mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never enfo...

Vendor: QuantGeekDev
Product: mcp-framework
Published: Apr 16, 2026
Source: NVD

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in ...

Vendor: moby
Product: spdystream
Published: Apr 16, 2026
Source: NVD
CVE-2026-34164 MEDIUM - 4.9

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers...

Vendor: valtimo-platform
Product: valtimo
Published: Apr 16, 2026
Source: NVD
CVE-2026-33472 MEDIUM - 4.8

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing...

Vendor: cryptomator
Product: cryptomator
Published: Apr 16, 2026
Source: NVD
CVE-2026-40611 HIGH - 8.8

Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego ...

Vendor: go
Product: github.com/go-acme/lego/v4
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40602 MEDIUM - 5.6

The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no r...

Vendor: pip
Product: homeassistant-cli
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40933 CRITICAL - 10.0

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerabili...

Vendor: npm
Product: flowise
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40901 HIGH - 8.8

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes ...

Vendor: dataease
Product: dataease
Published: Apr 16, 2026
Source: NVD
CVE-2026-40900 HIGH - 8.8

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combin...

Vendor: dataease
Product: dataease
Published: Apr 16, 2026
Source: NVD
CVE-2026-40324 CRITICAL - 9.1

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list t...

Vendor: nuget
Product: HotChocolate.Language
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40304 MEDIUM - 5.3

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condit...

Vendor: go
Product: github.com/openziti/zrok
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40303 HIGH - 7.5

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request ...

Vendor: go
Product: github.com/openziti/zrok
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40302 MEDIUM - 6.1

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the atta...

Vendor: go
Product: github.com/openziti/zrok
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40899 MEDIUM - 6.5

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalPar...

Vendor: dataease
Product: dataease
Published: Apr 16, 2026
Source: NVD
CVE-2026-33207 HIGH - 8.8

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings u...

Vendor: dataease
Product: dataease
Published: Apr 16, 2026
Source: NVD
CVE-2026-33122 CRITICAL - 9.8

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the u...

Vendor: dataease
Product: dataease
Published: Apr 16, 2026
Source: NVD