Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,353
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,521 - 23,540 of 41,864 CVEs
CVE-2026-29145 CRITICAL - 9.1

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Nativ...

Vendor: Apache Software Foundation
Product: Apache Tomcat, Apache Tomcat Native
Published: Apr 09, 2026
Source: NVD
CVE-2026-29129 HIGH - 7.5

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-25854 MEDIUM - 6.1

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. O...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2026-24880 HIGH - 7.5

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through ...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Apr 09, 2026
Source: NVD
CVE-2025-13926 CRITICAL - 9.8

An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.

Vendor: Contemporary Controls
Product: BASControl20
Published: Apr 09, 2026
Source: NVD
CVE-2026-39912 CRITICAL - 9.1

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to recei...

Vendor: v2board, cedar2025
Product: v2board, Xboard
Published: Apr 09, 2026
Source: NVD
CVE-2026-35556 HIGH - 7.5

OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.

Vendor: OpenPLC_V3
Product: OpenPLC_V3
Published: Apr 09, 2026
Source: NVD
CVE-2026-35195 MEDIUM - 5.4

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointe...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-35186 MEDIUM - 7.5

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting t...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-34987 CRITICAL - 9.9

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following step...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-34971 CRITICAL - 7.8

Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architectu...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can res...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits shou...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-31170 CRITICAL - 9.8

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.

Published: Apr 09, 2026
Source: NVD