Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,485
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,221 - 21,240 of 40,240 CVEs
CVE-2026-27678 MEDIUM - 6.5

Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availab...

Vendor: SAP_SE
Product: SAP S/4HANA Backend OData Service (Manage Reference Structures)
Published: Apr 14, 2026
Source: NVD
CVE-2026-27677 MEDIUM - 6.5

Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not imp...

Vendor: SAP_SE
Product: SAP S/4HANA OData Service (Manage Reference Equipment)
Published: Apr 14, 2026
Source: NVD
CVE-2026-27676 MEDIUM - 4.3

Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and av...

Vendor: SAP_SE
Product: SAP S/4HANA OData Service (Manage Technical Object Structures)
Published: Apr 14, 2026
Source: NVD

SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degre...

Vendor: SAP_SE
Product: SAP Landscape Transformation
Published: Apr 14, 2026
Source: NVD
CVE-2026-27674 MEDIUM - 6.1

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, tha...

Vendor: SAP_SE
Product: SAP NetWeaver Application Server Java (Web Dynpro Java)
Published: Apr 14, 2026
Source: NVD
CVE-2026-27673 MEDIUM - 4.9

Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the ...

Vendor: SAP_SE
Product: SAP S/4HANA (Private Cloud and On-Premise)
Published: Apr 14, 2026
Source: NVD
CVE-2026-27672 MEDIUM - 4.3

The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.

Vendor: SAP_SE
Product: Material Master Application
Published: Apr 14, 2026
Source: NVD
CVE-2026-24318 MEDIUM - 4.2

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens ...

Vendor: SAP_SE
Product: SAP BusinessObjects Business Intelligence Platform
Published: Apr 14, 2026
Source: NVD
CVE-2026-0512 MEDIUM - 6.1

Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could a...

Published: Apr 14, 2026
Source: NVD

SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof th...

Vendor: rust
Product: sp1_sdk
Published: Apr 14, 2026
Source: GitHub
CVE-2026-6203 MEDIUM - 6.1

The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_...

Published: Apr 13, 2026
Source: NVD
CVE-2026-5086 HIGH - 7.5

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.

Published: Apr 13, 2026
Source: NVD

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL ter...

Vendor: jqlang
Product: jq
Published: Apr 13, 2026
Source: NVD
CVE-2026-39956 MEDIUM - 6.1

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() ch...

Vendor: jqlang
Product: jq
Published: Apr 13, 2026
Source: NVD
CVE-2026-6224 HIGH - 7.3

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiat...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6220 MEDIUM - 4.7

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible t...

Published: Apr 13, 2026
Source: NVD

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Published: Apr 13, 2026
Source: NVD
CVE-2026-40312 MEDIUM - 6.2

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-40311 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions ...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-40310 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD