Total CVEs

144,090

Critical Severity

4,134

High Severity

14,909

Last 7 Days

1,577
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,541 - 21,560 of 40,495 CVEs
CVE-2026-40042 CRITICAL - 9.8

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, c...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-40041 MEDIUM - 4.3

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, mil...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-40040 HIGH - 8.8

Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them ...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-40039 MEDIUM - 6.5

Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious login URLs with unvalidated return_to values to conduct phishing attacks and steal user credentials.

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-40038 HIGH - 7.2

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters a...

Vendor: pancho
Product: Pachno
Published: Apr 13, 2026
Source: NVD
CVE-2026-29955 HIGH - 8.8

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command s...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6196 HIGH - 8.8

A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeCommand. Performing a manipulation of the argument cmdinput results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6195 CRITICAL - 9.8

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument admpass leads to os command injection. The attack can be execute...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6194 HIGH - 8.8

A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_410188 of the file /boafrm/formWlanSetup of the component HTTP Request Handler. This manipulation of the argument wan-url causes stack-based buffer overflow. Remote exploitation of t...

Published: Apr 13, 2026
Source: NVD

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the da...

Published: Apr 13, 2026
Source: NVD
CVE-2026-32316 HIGH - 8.2

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffe...

Vendor: jqlang
Product: jq
Published: Apr 13, 2026
Source: NVD
CVE-2026-28291 HIGH - 8.1

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE...

Vendor: steveukx
Product: git-js
Published: Apr 13, 2026
Source: NVD
CVE-2025-3756 MEDIUM - 6.5

A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication in...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6193 HIGH - 7.3

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6192 LOW - 3.3

A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The ident...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6191 MEDIUM - 6.3

A vulnerability was determined in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /equipments.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and m...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6190 MEDIUM - 6.3

A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and co...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6189 HIGH - 7.3

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has b...

Published: Apr 13, 2026
Source: NVD

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the pa...

Vendor: ChurchCRM
Product: CRM
Published: Apr 13, 2026
Source: NVD

Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.

Published: Apr 13, 2026
Source: NVD