Total CVEs

145,438

Critical Severity

4,245

High Severity

15,631

Last 7 Days

2,408
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,961 - 21,980 of 41,843 CVEs
CVE-2026-40155 MEDIUM - 5.4

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if thei...

Vendor: auth0
Product: nextjs-auth0
Published: Apr 17, 2026
Source: NVD
CVE-2026-35603 MEDIUM - 7.3

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by ...

Vendor: anthropics
Product: claude-code
Published: Apr 17, 2026
Source: NVD

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploit...

Vendor: neutrinolabs
Product: xrdp
Published: Apr 17, 2026
Source: NVD

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in ver...

Vendor: neo4j-contrib
Product: mcp-neo4j
Published: Apr 17, 2026
Source: NVD

xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. Th...

Vendor: neutrinolabs
Product: xrdp
Published: Apr 17, 2026
Source: NVD

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicio...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Apr 17, 2026
Source: NVD
CVE-2026-33145 MEDIUM - 6.3

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly c...

Vendor: neutrinolabs
Product: xrdp
Published: Apr 17, 2026
Source: NVD

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without san...

Vendor: Dolibarr
Product: dolibarr
Published: Apr 17, 2026
Source: NVD
CVE-2026-40461 HIGH - 7.5

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.

Vendor: Anviz
Product: Anviz CX7 Firmware, Anviz CX2 Lite Firmware
Published: Apr 17, 2026
Source: NVD
CVE-2026-40434 HIGH - 8.1

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.

Vendor: Anviz
Product: Anviz CrossChex Standard
Published: Apr 17, 2026
Source: NVD
CVE-2026-40342 CRITICAL - 9.9

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNC...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-40283 MEDIUM - 6.8

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and execu...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Apr 17, 2026
Source: NVD
CVE-2026-40066 HIGH - 8.8

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.

Vendor: Anviz
Product: Anviz CX7 Firmware, Anviz CX2 Lite Firmware
Published: Apr 17, 2026
Source: NVD
CVE-2026-35682 HIGH - 8.8

Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.

Vendor: Anviz
Product: Anviz CX2 Lite Firmware
Published: Apr 17, 2026
Source: NVD
CVE-2026-35546 CRITICAL - 9.8

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.

Vendor: Anviz
Product: Anviz CX7 Firmware, Anviz CX2 Lite Firmware
Published: Apr 17, 2026
Source: NVD
CVE-2026-35215 HIGH - 7.5

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-35061 MEDIUM - 5.3

Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.

Vendor: Anviz
Product: Anviz CX7 Firmware
Published: Apr 17, 2026
Source: NVD
CVE-2026-34232 HIGH - 7.5

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unaut...

Vendor: FirebirdSQL
Product: firebird
Published: Apr 17, 2026
Source: NVD
CVE-2026-33569 MEDIUM - 6.5

Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.

Vendor: Anviz
Product: Anviz CX7 Firmware, Anviz CX2 Lite Firmware
Published: Apr 17, 2026
Source: NVD

xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occurs when memory is accessed before validating the remaining buffer length. A remote, unauthenticated attacker can trigger this vulnerability b...

Vendor: neutrinolabs
Product: xrdp
Published: Apr 17, 2026
Source: NVD