Total CVEs

145,779

Critical Severity

4,273

High Severity

15,744

Last 7 Days

2,298
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 24,501 - 24,520 of 42,184 CVEs

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker ca...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD
CVE-2026-28390 HIGH - 7.5

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial ...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD
CVE-2026-28389 HIGH - 7.5

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of S...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD
CVE-2026-28388 HIGH - 7.5

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. ...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD
CVE-2026-28386 CRITICAL - 9.1

Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for ...

Vendor: OpenSSL
Product: OpenSSL
Published: Apr 07, 2026
Source: NVD

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-priv...

Vendor: jhuckaby
Product: Cronicle
Published: Apr 07, 2026
Source: NVD

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The serv...

Vendor: jhuckaby
Product: Cronicle
Published: Apr 07, 2026
Source: NVD
CVE-2026-39397 CRITICAL - 9.4

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control....

Vendor: delmaredigital
Product: payload-puck
Published: Apr 07, 2026
Source: NVD
CVE-2026-35533 HIGH - 7.7

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and ...

Vendor: jdx
Product: mise
Published: Apr 07, 2026
Source: NVD
CVE-2026-34080 MEDIUM - 5.5

xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar case...

Vendor: flatpak
Product: xdg-dbus-proxy
Published: Apr 07, 2026
Source: NVD
CVE-2026-34045 HIGH - 8.2

Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limi...

Vendor: podman-desktop
Product: podman-desktop
Published: Apr 07, 2026
Source: NVD
CVE-2026-32712 MEDIUM - 5.4

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-tabl...

Vendor: opensourcepos
Product: opensourcepos
Published: Apr 07, 2026
Source: NVD
CVE-2026-29181 HIGH - 7.5

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, e...

Vendor: open-telemetry
Product: opentelemetry-go
Published: Apr 07, 2026
Source: NVD

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting per...

Vendor: makeplane
Product: plane
Published: Apr 07, 2026
Source: NVD
CVE-2026-5741 HIGH - 7.3

A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTTP Interface. This manipulation causes os command injection. The attack is possible to be carried out...

Published: Apr 07, 2026
Source: NVD
CVE-2026-5739 HIGH - 7.3

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed r...

Vendor: maven
Product: tech.powerjob:powerjob-server-starter
Published: Apr 07, 2026
Source: NVD

Rejected reason: After further discussion, the issue was determined to not meet the criteria for CVE assignment.

Published: Apr 07, 2026
Source: NVD

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Vendor: Wikimedia Foundation
Product: Mediawiki - Cargo Extension
Published: Apr 07, 2026
Source: NVD

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

Vendor: Wikimedia Foundation
Product: Mediawiki - Cargo Extension
Published: Apr 07, 2026
Source: NVD