Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,325
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 22,301 - 22,320 of 41,864 CVEs

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitation r...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4857 HIGH - 8.4

IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityI...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40256 MEDIUM - 5.0

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when t...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-39845 MEDIUM - 4.1

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-34632 HIGH - 8.2

Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search path used by the app...

Vendor: Adobe
Product: Adobe Photoshop Installer
Published: Apr 15, 2026
Source: NVD
CVE-2026-34393 HIGH - 8.8

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-34244 MEDIUM - 5.0

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, ...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-34242 HIGH - 7.7

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-33667 HIGH - 7.4

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins se...

Vendor: opf
Product: openproject
Published: Apr 15, 2026
Source: NVD
CVE-2026-33440 MEDIUM - 5.0

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-33435 HIGH - 8.0

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immedi...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-33220 MEDIUM - 6.8

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feat...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-6290 HIGH - 8.0

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs wh...

Published: Apr 15, 2026
Source: NVD
CVE-2026-5758 MEDIUM - 6.5

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.

Published: Apr 15, 2026
Source: NVD
CVE-2026-33214 MEDIUM - 4.3

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so ...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD
CVE-2026-32631 HIGH - 7.4

Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses...

Vendor: git-for-windows
Product: git
Published: Apr 15, 2026
Source: NVD
CVE-2026-30993 CRITICAL - 9.8

Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

Published: Apr 15, 2026
Source: NVD
CVE-2026-6372 HIGH - 7.5

Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.

Published: Apr 15, 2026
Source: NVD
CVE-2026-6370 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.

Published: Apr 15, 2026
Source: NVD