Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,858
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,541 - 21,560 of 41,119 CVEs

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, t...

Vendor: apostrophecms
Product: apostrophe
Published: Apr 15, 2026
Source: NVD

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3&...

Vendor: Grafana
Product: Grafana Correlations
Published: Apr 15, 2026
Source: NVD
CVE-2026-21726 MEDIUM - 5.3

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.

Vendor: Grafana
Product: Loki
Published: Apr 15, 2026
Source: NVD
CVE-2025-41118 CRITICAL - 9.1

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyr...

Vendor: Grafana
Product: Pyroscope
Published: Apr 15, 2026
Source: NVD
CVE-2026-40486 MEDIUM - 4.3

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields ar...

Vendor: composer
Product: kimai/kimai
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40479 MEDIUM - 5.4

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype...

Vendor: composer
Product: kimai/kimai
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40478 CRITICAL - 9.1

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neu...

Vendor: maven
Product: org.thymeleaf:thymeleaf
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40477 CRITICAL - 9.1

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restric...

Vendor: maven
Product: org.thymeleaf:thymeleaf
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40347 MEDIUM - 5.3

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candid...

Vendor: pip
Product: python-multipart
Published: Apr 15, 2026
Source: GitHub

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

Vendor: npm
Product: @nocobase/plugin-workflow-request
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40882 HIGH - 7.6

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-s...

Vendor: maven
Product: io.openremote:openremote-manager
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40574 MEDIUM - 6.8

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and s...

Vendor: go
Product: github.com/oauth2-proxy/oauth2-proxy/v7
Published: Apr 15, 2026
Source: GitHub
CVE-2026-40575 CRITICAL - 9.1

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so...

Vendor: go
Product: github.com/oauth2-proxy/oauth2-proxy/v7
Published: Apr 15, 2026
Source: GitHub
CVE-2026-6383 MEDIUM - 5.4

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresourc...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6245 MEDIUM - 5.5

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an...

Published: Apr 15, 2026
Source: NVD

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitation r...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4857 HIGH - 8.4

IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityI...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40256 MEDIUM - 5.0

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when t...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-39845 MEDIUM - 4.1

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-34632 HIGH - 8.2

Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search path used by the app...

Vendor: Adobe
Product: Adobe Photoshop Installer
Published: Apr 15, 2026
Source: NVD