Total CVEs

144,730

Critical Severity

4,194

High Severity

15,272

Last 7 Days

1,735
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,061 - 23,080 of 41,135 CVEs
CVE-2026-39974 HIGH - 8.5

n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to iss...

Vendor: npm
Product: n8n-mcp
Published: Apr 08, 2026
Source: GitHub

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to una...

Vendor: go
Product: github.com/dunglas/mercure
Published: Apr 08, 2026
Source: GitHub
CVE-2026-39959 HIGH - 7.1

Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sendi...

Vendor: nuget
Product: Tmds.DBus
Published: Apr 08, 2026
Source: GitHub

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Vendor: saleor
Product: saleor
Published: Apr 08, 2026
Source: NVD
CVE-2026-35455 HIGH - 7.3

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360ยฐ panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR ov...

Vendor: immich-app
Product: immich
Published: Apr 08, 2026
Source: NVD
CVE-2026-35446 HIGH - 7.7

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping th...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-35407 MEDIUM - 6.5

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticat...

Vendor: saleor
Product: saleor
Published: Apr 08, 2026
Source: NVD
CVE-2026-35403 MEDIUM - 6.5

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provid...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-35401 HIGH - 7.5

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a...

Vendor: saleor
Product: saleor
Published: Apr 08, 2026
Source: NVD

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user'...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-35169 HIGH - 8.7

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result ...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-35165 MEDIUM - 6.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not cor...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-34985 MEDIUM - 6.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the ba...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible ...

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in...

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege admi...

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD
CVE-2026-34723 HIGH - 7.5

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7...

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4.

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD