Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,485
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,241 - 21,260 of 40,240 CVEs
CVE-2026-40183 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-40169 MEDIUM - 6.2

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-34238 MEDIUM - 5.1

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been ...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33947 MEDIUM - 6.2

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can suppl...

Vendor: jqlang
Product: jq
Published: Apr 13, 2026
Source: NVD
CVE-2026-33908 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When M...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33905 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. Th...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33902 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. Thi...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-22566 HIGH - 7.5

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi ...

Vendor: Ubiquiti Inc
Product: UniFi Play PowerAmp, UniFi Play Audio Port
Published: Apr 13, 2026
Source: NVD
CVE-2026-22565 HIGH - 7.5

An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update Uni...

Vendor: Ubiquiti Inc
Product: UniFi Play PowerAmp, UniFi Play Audio Port
Published: Apr 13, 2026
Source: NVD
CVE-2026-22564 CRITICAL - 9.8

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitiga...

Vendor: Ubiquiti Inc
Product: UniFi Play PowerAmp, UniFi Play Audio Port
Published: Apr 13, 2026
Source: NVD
CVE-2026-22563 CRITICAL - 9.8

A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Pla...

Vendor: Ubiquiti Inc
Product: UniFi Play PowerAmp, UniFi Play Audio Port
Published: Apr 13, 2026
Source: NVD
CVE-2026-22562 CRITICAL - 9.8

A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio ...

Vendor: Ubiquiti Inc
Product: UniFi Play PowerAmp, UniFi Play Audio Port
Published: Apr 13, 2026
Source: NVD
CVE-2026-6219 MEDIUM - 5.3

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly d...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6218 MEDIUM - 4.3

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosu...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6216 LOW - 3.5

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched ...

Published: Apr 13, 2026
Source: NVD
CVE-2026-33901 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in ver...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33900 MEDIUM - 5.9

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash....

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33899 MEDIUM - 5.3

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19...

Vendor: ImageMagick
Product: ImageMagick
Published: Apr 13, 2026
Source: NVD
CVE-2026-33740 MEDIUM - 5.4

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from ...

Vendor: espocrm
Product: espocrm
Published: Apr 13, 2026
Source: NVD

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP...

Vendor: espocrm
Product: espocrm
Published: Apr 13, 2026
Source: NVD