Total CVEs

144,294

Critical Severity

4,165

High Severity

14,995

Last 7 Days

1,598
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 22,401 - 22,420 of 40,699 CVEs
CVE-2026-39943 MEDIUM - 6.5

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensit...

Vendor: directus
Product: directus
Published: Apr 09, 2026
Source: NVD
CVE-2026-39942 HIGH - 8.5

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's...

Vendor: directus
Product: directus
Published: Apr 09, 2026
Source: NVD
CVE-2026-39856 MEDIUM - 5.5

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When processing PE sections for page hashing, the function uses...

Vendor: mtrojnar
Product: osslsigncode
Published: Apr 09, 2026
Source: NVD
CVE-2026-39855 MEDIUM - 5.5

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code (pe_page_hash_calc()). When page hash processing is performed on a PE file, the functio...

Vendor: mtrojnar
Product: osslsigncode
Published: Apr 09, 2026
Source: NVD
CVE-2026-30479 CRITICAL - 9.1

A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable.

Published: Apr 09, 2026
Source: NVD
CVE-2026-5960 MEDIUM - 4.3

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploi...

Published: Apr 09, 2026
Source: NVD
CVE-2026-4878 MEDIUM - 6.7

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, ...

Published: Apr 09, 2026
Source: NVD
CVE-2026-39941 MEDIUM - 6.1

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims�...

Vendor: ChurchCRM
Product: CRM
Published: Apr 09, 2026
Source: NVD
CVE-2026-39853 HIGH - 7.8

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectData...

Vendor: mtrojnar
Product: osslsigncode
Published: Apr 09, 2026
Source: NVD
CVE-2026-39843 HIGH - 7.7

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is ...

Vendor: makeplane
Product: plane
Published: Apr 09, 2026
Source: NVD

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Vendor: helm
Product: helm
Published: Apr 09, 2026
Source: NVD

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not in...

Vendor: helm
Product: helm
Published: Apr 09, 2026
Source: NVD
CVE-2026-35041 MEDIUM - 4.2

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the su...

Vendor: nearform
Product: fast-jwt
Published: Apr 09, 2026
Source: NVD
CVE-2026-35040 MEDIUM - 5.3

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statefu...

Vendor: nearform
Product: fast-jwt
Published: Apr 09, 2026
Source: NVD
CVE-2026-34020 HIGH - 7.5

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters.Β Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 bef...

Vendor: Apache Software Foundation
Product: Apache OpenMeetings
Published: Apr 09, 2026
Source: NVD
CVE-2026-33266 HIGH - 7.5

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a ...

Vendor: Apache Software Foundation
Product: Apache OpenMeetings
Published: Apr 09, 2026
Source: NVD
CVE-2026-33005 MEDIUM - 4.3

Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields ...

Vendor: Apache Software Foundation
Product: Apache OpenMeetings
Published: Apr 09, 2026
Source: NVD
CVE-2025-70365 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pa...

Published: Apr 09, 2026
Source: NVD
CVE-2025-70364 HIGH - 8.8

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.

Published: Apr 09, 2026
Source: NVD

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

Vendor: Canonical
Product: Ubuntu
Published: Apr 09, 2026
Source: NVD