Total CVEs

145,438

Critical Severity

4,245

High Severity

15,631

Last 7 Days

2,406
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 22,001 - 22,020 of 41,843 CVEs
CVE-2026-40516 HIGH - 8.3

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an a...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 17, 2026
Source: NVD
CVE-2026-40515 HIGH - 7.5

OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properl...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 17, 2026
Source: NVD
CVE-2026-3464 HIGH - 8.8

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an admini...

Published: Apr 17, 2026
Source: NVD
CVE-2026-21733 HIGH - 7.3

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. This is caused by improper handling of GPU memory reservation protections.

Vendor: Imagination Technologies
Product: Graphics DDK
Published: Apr 17, 2026
Source: NVD
CVE-2026-6497 MEDIUM - 6.3

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request f...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6284 CRITICAL - 9.1

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.

Published: Apr 17, 2026
Source: NVD
CVE-2026-21709 MEDIUM - 6.7

A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.

Vendor: Veeam
Product: Backup and Replication, Software Appliance
Published: Apr 17, 2026
Source: NVD
CVE-2026-6496 MEDIUM - 5.4

A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been m...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6493 LOW - 3.5

A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site s...

Published: Apr 17, 2026
Source: NVD
CVE-2026-41153 MEDIUM - 5.8

In JetBrains Junie before 252.549.29 command execution was possible via malicious project file

Vendor: JetBrains
Product: Junie
Published: Apr 17, 2026
Source: NVD
CVE-2026-37749 CRITICAL - 9.8

A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

Published: Apr 17, 2026
Source: NVD
CVE-2026-6492 MEDIUM - 5.3

A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. R...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6491 MEDIUM - 5.3

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached l...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6490 HIGH - 7.3

A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated re...

Published: Apr 17, 2026
Source: NVD
CVE-2026-40459 HIGH - 8.8

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10 an...

Vendor: PAC4J
Product: PAC4J
Published: Apr 17, 2026
Source: NVD
CVE-2026-40458 HIGH - 6.5

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the a...

Vendor: PAC4J
Product: PAC4J
Published: Apr 17, 2026
Source: NVD
CVE-2026-31317 MEDIUM - 7.5

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file

Vendor: composer
Product: markhuot/craftql
Published: Apr 17, 2026
Source: NVD
CVE-2025-70795 MEDIUM - 5.5

STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enab...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6507 HIGH - 7.5

A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq da...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6489 MEDIUM - 6.3

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The att...

Published: Apr 17, 2026
Source: NVD