Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,905
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 21,481 - 21,500 of 41,119 CVEs
CVE-2026-40959 CRITICAL - 9.3

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.

Vendor: Luanti
Product: Luanti
Published: Apr 16, 2026
Source: NVD
CVE-2026-40503 MEDIUM - 6.5

OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memor...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 16, 2026
Source: NVD
CVE-2026-40502 HIGH - 8.8

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execut...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 16, 2026
Source: NVD
CVE-2026-32179 CRITICAL - 9.8

MsQuic has a Remote Elevation of Privilege Vulnerability

Vendor: nuget
Product: Microsoft.Native.Quic.MsQuic.OpenSSL
Published: Apr 16, 2026
Source: GitHub

Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation.Β The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.Β  An adjacent attacker with the ability to inter...

Published: Apr 16, 2026
Source: NVD
CVE-2026-4880 CRITICAL - 9.8

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Bas...

Published: Apr 16, 2026
Source: NVD

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Vendor: Yubico
Product: libfido2, python-fido2, yubikey-manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-4949 MEDIUM - 4.3

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not proper...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40316 HIGH - 8.8

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with...

Vendor: OWASP-BLT
Product: BLT
Published: Apr 15, 2026
Source: NVD
CVE-2026-39350 MEDIUM - 5.4

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is ...

Vendor: istio
Product: istio
Published: Apr 15, 2026
Source: NVD
CVE-2026-6388 CRITICAL - 9.1

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on ...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40500 MEDIUM - 6.8

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTT...

Vendor: processwire
Product: processwire
Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 15, 2026
Source: NVD
CVE-2026-40186 MEDIUM - 6.1

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). Apostrophe...

Vendor: apostrophecms
Product: apostrophe, sanitize-html
Published: Apr 15, 2026
Source: NVD
CVE-2026-40173 CRITICAL - 9.4

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line includ...

Vendor: dgraph-io
Product: dgraph
Published: Apr 15, 2026
Source: NVD
CVE-2026-22676 HIGH - 7.8

Barracuda RMM versions prior toΒ 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker...

Vendor: Barracuda Networks
Product: RMM
Published: Apr 15, 2026
Source: NVD
CVE-2026-6385 MEDIUM - 6.5

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds ch...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6384 HIGH - 7.3

A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a specially crafted GIF file. This can lead to a denial of service or potentially arbitrary code execu...

Published: Apr 15, 2026
Source: NVD