Total CVEs

144,278

Critical Severity

4,164

High Severity

14,985

Last 7 Days

1,612
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 22,321 - 22,340 of 40,683 CVEs
CVE-2026-5974 HIGH - 7.3

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the probl...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5973 HIGH - 7.3

A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function get_mime_type of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was in...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5972 HIGH - 7.3

A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5194 CRITICAL - 9.1

Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if...

Vendor: wolfssl
Product: wolfssl
Published: Apr 09, 2026
Source: NVD
CVE-2026-5187 CRITICAL - 9.8

Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass...

Vendor: wolfssl
Product: wolfssl
Published: Apr 09, 2026
Source: NVD
CVE-2026-4436 HIGH - 8.6

A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.

Published: Apr 09, 2026
Source: NVD
CVE-2026-40089 CRITICAL - 9.9

Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (inclu...

Vendor: sonicverse-eu
Product: audiostreaming-stack
Published: Apr 09, 2026
Source: NVD

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know t...

Vendor: henrygd
Product: beszel
Published: Apr 09, 2026
Source: NVD
CVE-2026-39977 MEDIUM - 6.3

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and va...

Vendor: flatpak
Product: flatpak-builder
Published: Apr 09, 2026
Source: NVD
CVE-2026-35577 MEDIUM - 6.8

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on ...

Vendor: apollographql
Product: apollo-mcp-server
Published: Apr 09, 2026
Source: NVD
CVE-2026-35063 HIGH - 8.8

OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator acc...

Vendor: OpenPLC_V3
Product: OpenPLC_V3
Published: Apr 09, 2026
Source: NVD
CVE-2026-34734 HIGH - 7.8

HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was...

Vendor: HDFGroup
Product: hdf5
Published: Apr 09, 2026
Source: NVD
CVE-2026-34500 MEDIUM - 6.5

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to ver...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-34487 HIGH - 7.5

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-34486 HIGH - 7.5

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to theΒ fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the i...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-34483 HIGH - 7.5

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-32990 MEDIUM - 5.3

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, ...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-29923 HIGH - 7.8

The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures.

Published: Apr 09, 2026
Source: NVD
CVE-2026-29146 HIGH - 7.5

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are rec...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-29145 CRITICAL - 9.1

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Nativ...

Vendor: Apache Software Foundation
Product: Apache Tomcat, Apache Tomcat Native
Published: Apr 09, 2026
Source: NVD