Total CVEs

144,269

Critical Severity

4,162

High Severity

14,979

Last 7 Days

1,663
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 22,141 - 22,160 of 40,674 CVEs

Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Apr 10, 2026
Source: NVD

Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Apr 10, 2026
Source: NVD

Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Apr 10, 2026
Source: NVD
CVE-2026-6035 MEDIUM - 4.3

A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is ...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6034 MEDIUM - 4.3

A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the argument BRANCH_ID can lead to cross site scripting. The attack may be launched remotely. The exploit ...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6033 MEDIUM - 6.3

A vulnerability was determined in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /updatedetailsfromstudent.php?eno=146891650. Executing a manipulation of the argument fname can lead to sql injection. The attack may be performed from remote. The exploit has been publicly ...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6032 MEDIUM - 4.3

A vulnerability was found in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkcheckout.php. Performing a manipulation of the argument serviceId results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made pub...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6031 HIGH - 7.3

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. This affects an unknown function of the file /add-category-function.php. Such manipulation of the argument Category leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the publi...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5525 MEDIUM - 6.0

A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checkin...

Published: Apr 10, 2026
Source: NVD
CVE-2026-40212 MEDIUM - 5.4

OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where administrators use the console web interface to view instance console logs.

Vendor: OpenStack
Product: Skyline
Published: Apr 10, 2026
Source: NVD
CVE-2026-22750 HIGH - 7.5

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway ...

Vendor: VMware
Product: Spring Cloud Gateway
Published: Apr 10, 2026
Source: NVD
CVE-2026-6030 MEDIUM - 6.3

A flaw has been found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /del1.php. This manipulation of the argument toolname causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

Published: Apr 10, 2026
Source: NVD
CVE-2026-6029 CRITICAL - 9.8

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The ...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6028 CRITICAL - 9.8

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. T...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6027 CRITICAL - 9.8

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remot...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6026 CRITICAL - 9.8

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can be...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4432 MEDIUM - 6.5

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, m...

Published: Apr 10, 2026
Source: NVD
CVE-2026-28704 HIGH - 7.8

Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck.

Vendor: Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)
Product: Emocheck
Published: Apr 10, 2026
Source: NVD
CVE-2026-1115 CRITICAL - 9.6

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned...

Vendor: lollms
Product: lollms
Published: Apr 10, 2026
Source: NVD
CVE-2025-14545 MEDIUM - 6.5

The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.

Vendor: Unknown
Product: YML for Yandex Market
Published: Apr 10, 2026
Source: NVD