Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,352
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 23,541 - 23,560 of 41,864 CVEs

OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.

Vendor: OpenPLC_V3
Product: OpenPLC_V3
Published: Apr 09, 2026
Source: NVD
CVE-2026-5971 HIGH - 7.3

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5970 HIGH - 7.3

A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function check_solution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. The ...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5329 HIGH - 8.5

Rapid7 Velociraptor versions prior to 0.76.2Β contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring me...

Published: Apr 09, 2026
Source: NVD

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementati...

Vendor: ethereum
Product: web3.py
Published: Apr 09, 2026
Source: NVD
CVE-2026-40071 MEDIUM - 5.4

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

Vendor: pyload
Product: pyload
Published: Apr 09, 2026
Source: NVD
CVE-2026-40070 HIGH - 8.1

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the call...

Vendor: sgbett
Product: bsv-ruby-sdk, bsv-sdk, bsv-wallet
Published: Apr 09, 2026
Source: NVD
CVE-2026-40069 HIGH - 7.5

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStat...

Vendor: sgbett
Product: bsv-ruby-sdk
Published: Apr 09, 2026
Source: NVD
CVE-2026-39985 MEDIUM - 4.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, wh...

Vendor: aces
Product: Loris
Published: Apr 09, 2026
Source: NVD
CVE-2026-39980 CRITICAL - 9.1

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform proces...

Vendor: OpenCTI-Platform
Product: opencti
Published: Apr 09, 2026
Source: NVD
CVE-2026-39961 MEDIUM - 6.8

Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace β€” production database credentials, API keys, s...

Vendor: aiven
Product: aiven-operator
Published: Apr 09, 2026
Source: NVD
CVE-2026-39911 HIGH - 8.8

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() c...

Vendor: hashgraph
Product: guardian
Published: Apr 09, 2026
Source: NVD
CVE-2026-39315 MEDIUM - 6.1

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts...

Vendor: unjs
Product: unhead
Published: Apr 09, 2026
Source: NVD
CVE-2026-35207 MEDIUM - 5.4

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from ...

Vendor: linuxdeepin
Product: dde-control-center, deepin-deepinid-plugin
Published: Apr 09, 2026
Source: NVD
CVE-2026-30478 HIGH - 8.8

A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable.

Published: Apr 09, 2026
Source: NVD
CVE-2026-1584 HIGH - 7.5

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and re...

Published: Apr 09, 2026
Source: NVD
CVE-2025-70797 MEDIUM - 6.1

Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

Vendor: limesurvey
Product: limesurvey
Published: Apr 09, 2026
Source: NVD
CVE-2025-63238 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.

Vendor: limesurvey
Product: limesurvey
Published: Apr 09, 2026
Source: NVD
CVE-2026-5962 HIGH - 7.3

A vulnerability was detected in Tenda CH22 1.0.0.6(468). This issue affects the function R7WebsSecurityHandlerfunction of the component httpd. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used.

Published: Apr 09, 2026
Source: NVD
CVE-2026-5961 HIGH - 7.3

A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This vulnerability affects unknown code of the file /topic-details.php. The manipulation of the argument post_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed pu...

Published: Apr 09, 2026
Source: NVD