Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,455
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,461 - 21,480 of 40,240 CVEs
CVE-2026-6133 HIGH - 8.8

A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. This affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and migh...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6132 CRITICAL - 9.8

A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6131 CRITICAL - 9.8

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remo...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6130 HIGH - 7.3

A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6129 HIGH - 7.3

A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The pro...

Published: Apr 12, 2026
Source: NVD
CVE-2026-40396 MEDIUM - 4.0

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed ...

Vendor: varnish-software
Product: Varnish Cache
Published: Apr 12, 2026
Source: NVD
CVE-2026-40395 MEDIUM - 4.0

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and...

Vendor: varnish-software
Product: Varnish Enterprise
Published: Apr 12, 2026
Source: NVD
CVE-2026-40394 MEDIUM - 4.0

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request...

Vendor: varnish-software
Product: Varnish Cache
Published: Apr 12, 2026
Source: NVD
CVE-2026-40393 HIGH - 8.1

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

Vendor: mesa3d
Product: Mesa
Published: Apr 12, 2026
Source: NVD
CVE-2026-40386 MEDIUM - 4.0

In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs.

Vendor: libexif project
Product: libexif
Published: Apr 12, 2026
Source: NVD
CVE-2026-40385 MEDIUM - 4.0

In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems.

Vendor: libexif project
Product: libexif
Published: Apr 12, 2026
Source: NVD
CVE-2019-25713 HIGH - 7.1

MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind...

Vendor: MyT
Product: Project Management
Published: Apr 12, 2026
Source: NVD
CVE-2019-25712 MEDIUM - 6.2

BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration...

Vendor: NSauditor
Product: BlueAuditor
Published: Apr 12, 2026
Source: NVD
CVE-2019-25711 MEDIUM - 6.2

SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash wh...

Vendor: NSauditor
Product: SpotFTP Password Recover
Published: Apr 12, 2026
Source: NVD
CVE-2019-25710 HIGH - 8.2

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-...

Vendor: Dolibarr
Product: Dolibarr ERP-CRM
Published: Apr 12, 2026
Source: NVD
CVE-2019-25709 CRITICAL - 9.8

CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the ...

Vendor: Davidtavarez
Product: CF Image Hosting Script
Published: Apr 12, 2026
Source: NVD
CVE-2019-25708 MEDIUM - 4.3

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm,...

Vendor: Heatmiser
Product: Heatmiser Wifi Thermostat
Published: Apr 12, 2026
Source: NVD
CVE-2019-25707 HIGH - 7.1

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extr...

Vendor: Ebrigade
Product: eBrigade ERP
Published: Apr 12, 2026
Source: NVD
CVE-2019-25706 HIGH - 7.5

Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backu...

Vendor: Across
Product: DR-810
Published: Apr 12, 2026
Source: NVD
CVE-2019-25705 HIGH - 8.4

Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and ...

Vendor: Sourceforge
Product: Echo Mirage
Published: Apr 12, 2026
Source: NVD