Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,632
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,941 - 21,960 of 40,623 CVEs

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify t...

Vendor: labring
Product: FastGPT
Published: Apr 10, 2026
Source: NVD
CVE-2026-40242 HIGH - 7.2

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. T...

Vendor: getarcaneapp
Product: arcane
Published: Apr 10, 2026
Source: NVD

phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circ...

Vendor: phpseclib
Product: phpseclib
Published: Apr 10, 2026
Source: NVD

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail ...

Vendor: craigjbass
Product: clearancekit
Published: Apr 10, 2026
Source: NVD
CVE-2026-40258 CRITICAL - 9.1

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-tra...

Vendor: pip
Product: gramps-webapi
Published: Apr 10, 2026
Source: GitHub
CVE-2026-40260 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has be...

Vendor: pip
Product: pypdf
Published: Apr 10, 2026
Source: GitHub
CVE-2026-40190 MEDIUM - 5.6

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards agains...

Vendor: langchain-ai
Product: langsmith-sdk
Published: Apr 10, 2026
Source: NVD
CVE-2026-40189 CRITICAL - 9.8

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload fi...

Vendor: patrickhener
Product: goshs
Published: Apr 10, 2026
Source: NVD
CVE-2026-40188 HIGH - 7.7

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

Vendor: patrickhener
Product: goshs
Published: Apr 10, 2026
Source: NVD
CVE-2026-40185 HIGH - 7.1

TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.

Vendor: mauriceboe
Product: TREK
Published: Apr 10, 2026
Source: NVD

TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.

Vendor: mauriceboe
Product: TREK
Published: Apr 10, 2026
Source: NVD

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output dir...

Vendor: quarkiverse
Product: quarkus-openapi-generator
Published: Apr 10, 2026
Source: NVD

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112.

Vendor: ajenti
Product: ajenti
Published: Apr 10, 2026
Source: NVD

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.

Vendor: ajenti
Product: ajenti
Published: Apr 10, 2026
Source: NVD
CVE-2026-40175 CRITICAL - 10.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Comp...

Vendor: axios
Product: axios
Published: Apr 10, 2026
Source: NVD
CVE-2026-40168 HIGH - 8.2

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a resul...

Vendor: gitroomhq
Product: postiz-app
Published: Apr 10, 2026
Source: NVD
CVE-2026-39922 MEDIUM - 6.3

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during...

Vendor: GeoNode
Product: GeoNode
Published: Apr 10, 2026
Source: NVD
CVE-2026-39921 MEDIUM - 6.3

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attac...

Vendor: GeoNode
Product: GeoNode
Published: Apr 10, 2026
Source: NVD
CVE-2026-32252 HIGH - 7.7

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "upd...

Vendor: chartbrew
Product: chartbrew
Published: Apr 10, 2026
Source: NVD
CVE-2026-30232 CRITICAL - 9.6

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP a...

Vendor: chartbrew
Product: chartbrew
Published: Apr 10, 2026
Source: NVD