Total CVEs

144,090

Critical Severity

4,134

High Severity

14,909

Last 7 Days

1,651
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,521 - 21,540 of 40,495 CVEs
CVE-2025-51414 HIGH - 8.8

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.

Published: Apr 13, 2026
Source: NVD
CVE-2026-6215 MEDIUM - 6.3

A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6202 MEDIUM - 6.3

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used f...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6201 MEDIUM - 5.4

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. Th...

Published: Apr 13, 2026
Source: NVD
CVE-2026-33657 MEDIUM - 4.6

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting ...

Vendor: espocrm
Product: espocrm
Published: Apr 13, 2026
Source: NVD
CVE-2026-33534 MEDIUM - 4.3

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 017...

Vendor: espocrm
Product: espocrm
Published: Apr 13, 2026
Source: NVD
CVE-2026-32605 HIGH - 7.5

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). Proposal...

Vendor: nimiq
Product: core-rs-albatross
Published: Apr 13, 2026
Source: NVD

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error...

Vendor: craftcms
Product: commerce
Published: Apr 13, 2026
Source: NVD
CVE-2026-31048 CRITICAL - 9.8

An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.

Published: Apr 13, 2026
Source: NVD
CVE-2026-40265 MEDIUM - 5.9

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who know...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Apr 13, 2026
Source: GitHub

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate v...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Apr 13, 2026
Source: GitHub
CVE-2026-40262 HIGH - 8.7

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Apr 13, 2026
Source: GitHub
CVE-2026-40193 HIGH - 8.2

maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite the go-ldap...

Vendor: go
Product: github.com/foxcpp/maddy
Published: Apr 13, 2026
Source: GitHub
CVE-2026-40192 HIGH - 7.5

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of serv...

Vendor: pip
Product: pillow
Published: Apr 13, 2026
Source: GitHub
CVE-2026-6200 HIGH - 8.8

A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly ...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6199 HIGH - 8.8

A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used.

Published: Apr 13, 2026
Source: NVD
CVE-2026-6198 HIGH - 8.8

A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed ...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6197 HIGH - 8.8

A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published...

Published: Apr 13, 2026
Source: NVD
CVE-2026-40044 CRITICAL - 9.8

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-40043 MEDIUM - 6.5

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a sw...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD