Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,630
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,981 - 22,000 of 40,623 CVEs
CVE-2026-32931 HIGH - 7.5

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its orig...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-32930 HIGH - 7.1

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any othe...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-32894 HIGH - 7.1

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_ma...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-32893 MEDIUM - 5.4

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET paramet...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-32892 CRITICAL - 9.1

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshe...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-31941 HIGH - 7.7

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and perf...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-31940 HIGH - 7.5

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC....

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-31939 HIGH - 8.3

Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vu...

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Published: Apr 10, 2026
Source: NVD

Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.

Vendor: chamilo
Product: chamilo-lms
Published: Apr 10, 2026
Source: NVD
CVE-2026-40200 HIGH - 8.1

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or ...

Vendor: musl-libc
Product: musl
Published: Apr 10, 2026
Source: NVD

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

Vendor: MervinPraison
Product: PraisonAIAgents
Published: Apr 10, 2026
Source: NVD
CVE-2026-40159 MEDIUM - 5.5

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess ...

Vendor: MervinPraison
Product: PraisonAI
Published: Apr 10, 2026
Source: NVD
CVE-2026-40158 HIGH - 8.6

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py...

Vendor: MervinPraison
Product: PraisonAI
Published: Apr 10, 2026
Source: NVD

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who ...

Vendor: MervinPraison
Product: PraisonAI
Published: Apr 10, 2026
Source: NVD
CVE-2026-40156 HIGH - 7.8

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code v...

Vendor: MervinPraison
Product: PraisonAI
Published: Apr 10, 2026
Source: NVD
CVE-2026-40103 MEDIUM - 4.3

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.ba...

Vendor: go-vikunja
Product: vikunja
Published: Apr 10, 2026
Source: NVD
CVE-2026-40100 MEDIUM - 5.3

FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthentic...

Vendor: labring
Product: FastGPT
Published: Apr 10, 2026
Source: NVD

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension...

Vendor: smallstep
Product: certificates
Published: Apr 10, 2026
Source: NVD
CVE-2026-40086 MEDIUM - 5.3

Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious model_path parameter, an attacker can...

Vendor: danielgatis
Product: rembg
Published: Apr 10, 2026
Source: NVD