Total CVEs

145,779

Critical Severity

4,273

High Severity

15,744

Last 7 Days

2,233
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,241 - 23,260 of 42,184 CVEs
CVE-2026-28291 HIGH - 8.1

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE...

Vendor: steveukx
Product: git-js
Published: Apr 13, 2026
Source: NVD
CVE-2025-3756 MEDIUM - 6.5

A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication in...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6193 HIGH - 7.3

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6192 LOW - 3.3

A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The ident...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6191 MEDIUM - 6.3

A vulnerability was determined in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /equipments.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and m...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6190 MEDIUM - 6.3

A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and co...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6189 HIGH - 7.3

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has b...

Published: Apr 13, 2026
Source: NVD

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the pa...

Vendor: ChurchCRM
Product: CRM
Published: Apr 13, 2026
Source: NVD

Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.

Published: Apr 13, 2026
Source: NVD

Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.

Published: Apr 13, 2026
Source: NVD
CVE-2026-36948 HIGH - 7.3

Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php.

Published: Apr 13, 2026
Source: NVD
CVE-2026-33555 MEDIUM - 4.0

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used...

Vendor: HAProxy
Product: HAProxy
Published: Apr 13, 2026
Source: NVD

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in...

Vendor: decidim
Product: decidim
Published: Apr 13, 2026
Source: NVD
CVE-2026-40179 MEDIUM - 6.1

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escapi...

Vendor: go
Product: github.com/prometheus/prometheus
Published: Apr 13, 2026
Source: GitHub
CVE-2026-35582 HIGH - 8.8

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FILE_ENDING and OUT_FI...

Vendor: maven
Product: gov.nsa.emissary:emissary
Published: Apr 13, 2026
Source: GitHub

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap()...

Vendor: go
Product: github.com/external-secrets/external-secrets
Published: Apr 13, 2026
Source: GitHub
CVE-2026-34069 MEDIUM - 5.3

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the firs...

Vendor: rust
Product: nimiq-consensus
Published: Apr 13, 2026
Source: GitHub
CVE-2026-6231 MEDIUM - 4.3

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6188 HIGH - 7.3

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and ma...

Published: Apr 13, 2026
Source: NVD
CVE-2026-6187 HIGH - 7.3

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=chk_prod_availability. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is...

Published: Apr 13, 2026
Source: NVD