Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,220
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 7,161 - 7,180 of 13,819 CVEs
CVE-2026-39416 MEDIUM - 6.1

AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer than 800 characters was processed, attacker-controlled c...

Vendor: ail-project
Product: ail-framework
Published: Apr 08, 2026
Source: NVD
CVE-2026-39415 MEDIUM - 4.3

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated s...

Vendor: frappe
Product: lms
Published: Apr 08, 2026
Source: NVD
CVE-2026-39880 MEDIUM - 5.0

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscrip...

Vendor: remnawave
Product: backend
Published: Apr 08, 2026
Source: NVD
CVE-2026-39864 MEDIUM - 4.4

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful user ...

Vendor: kamailio
Product: kamailio
Published: Apr 08, 2026
Source: NVD
CVE-2026-35479 MEDIUM - 6.6

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (...

Vendor: inventree
Product: InvenTree
Published: Apr 08, 2026
Source: NVD
CVE-2026-35477 MEDIUM - 5.5

InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed jinja2.Environ...

Vendor: inventree
Product: InvenTree
Published: Apr 08, 2026
Source: NVD
CVE-2026-35407 MEDIUM - 6.5

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given authenticat...

Vendor: saleor
Product: saleor
Published: Apr 08, 2026
Source: NVD
CVE-2026-35403 MEDIUM - 6.5

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provid...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-35165 MEDIUM - 6.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not cor...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-34985 MEDIUM - 6.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the ba...

Vendor: aces
Product: Loris
Published: Apr 08, 2026
Source: NVD
CVE-2026-34719 MEDIUM - 4.3

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving con...

Vendor: zammad
Product: zammad
Published: Apr 08, 2026
Source: NVD
CVE-2026-30817 MEDIUM - 5.7

An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, pote...

Vendor: TP-Link Systems Inc.
Product: AX53 v1.0
Published: Apr 08, 2026
Source: NVD
CVE-2026-30816 MEDIUM - 5.7

An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed.  Successful exploitation may allow unauthorized access to arbitrary files on the device, po...

Vendor: TP-Link Systems Inc.
Product: AX53 v1.0
Published: Apr 08, 2026
Source: NVD
CVE-2026-20709 MEDIUM - 6.6

Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high ...

Published: Apr 08, 2026
Source: NVD
CVE-2026-0814 MEDIUM - 4.3

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-leve...

Published: Apr 08, 2026
Source: NVD
CVE-2026-0811 MEDIUM - 5.4

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated atta...

Published: Apr 08, 2026
Source: NVD
CVE-2025-30650 MEDIUM - 6.7

A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line...

Vendor: Juniper Networks
Product: Junos OS
Published: Apr 08, 2026
Source: NVD
CVE-2026-33459 MEDIUM - 6.5

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent ...

Vendor: Elastic
Product: Kibana
Published: Apr 08, 2026
Source: NVD
CVE-2026-33458 MEDIUM - 6.3

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

Vendor: Elastic
Product: Kibana
Published: Apr 08, 2026
Source: NVD
CVE-2026-32591 MEDIUM - 5.2

A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An at...

Vendor: Red Hat
Product: mirror registry for Red Hat OpenShift, mirror registry for Red Hat OpenShift 2, Red Hat Quay 3
Published: Apr 08, 2026
Source: NVD