Total CVEs

143,818

Critical Severity

4,094

High Severity

14,786

Last 7 Days

1,518
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,141 - 21,160 of 40,223 CVEs

SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.

Published: Apr 14, 2026
Source: NVD

SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php.

Published: Apr 14, 2026
Source: NVD
CVE-2026-30480 MEDIUM - 6.5

A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.

Published: Apr 14, 2026
Source: NVD
CVE-2025-69993 MEDIUM - 6.1

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x o...

Vendor: leafletjs
Product: leaflet
Published: Apr 14, 2026
Source: NVD
CVE-2025-69893 MEDIUM - 4.6

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time...

Published: Apr 14, 2026
Source: NVD
CVE-2025-61260 CRITICAL - 9.8

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads pro...

Published: Apr 14, 2026
Source: NVD
CVE-2026-31049 CRITICAL - 9.8

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

Published: Apr 14, 2026
Source: NVD

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported...

Published: Apr 14, 2026
Source: NVD

A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbi...

Published: Apr 14, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 14, 2026
Source: NVD

.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.

Published: Apr 14, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 14, 2026
Source: NVD

Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.

Published: Apr 14, 2026
Source: NVD
CVE-2026-2332 HIGH - 7.4

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chu...

Vendor: maven
Product: org.eclipse.jetty:jetty-http
Published: Apr 14, 2026
Source: NVD
CVE-2026-24069 MEDIUM - 5.4

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.

Vendor: Kiuwan
Product: SAST
Published: Apr 14, 2026
Source: NVD

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

Vendor: MCPHub
Product: MCPHub
Published: Apr 14, 2026
Source: NVD
CVE-2026-4109 MEDIUM - 4.3

The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible f...

Published: Apr 14, 2026
Source: NVD
CVE-2026-33929 MEDIUM - 4.3

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version...

Vendor: Apache Software Foundation
Product: Apache PDFBox Examples
Published: Apr 14, 2026
Source: NVD
CVE-2026-33892 HIGH - 7.1

A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management systems do no...

Vendor: Siemens
Product: Industrial Edge Management Pro V1, Industrial Edge Management Pro V2, Industrial Edge Management Virtual
Published: Apr 14, 2026
Source: NVD
CVE-2026-31924 MEDIUM - 5.3

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache APISIX
Published: Apr 14, 2026
Source: NVD