Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,488
Quick preset (or use dates below)
Clear Filters
Showing 7,721 - 7,740 of 13,550 CVEs
CVE-2026-34748 HIGH - 8.7

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another use...

Vendor: payloadcms
Product: payload
Published: Apr 01, 2026
Source: NVD
CVE-2026-34747 HIGH - 8.5

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched i...

Vendor: payloadcms
Product: payload
Published: Apr 01, 2026
Source: NVD
CVE-2026-34746 HIGH - 7.7

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server...

Vendor: payloadcms
Product: payload
Published: Apr 01, 2026
Source: NVD
CVE-2026-33544 HIGH - 7.7

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent re...

Vendor: go
Product: github.com/steveiliop56/tinyauth
Published: Apr 01, 2026
Source: GitHub
CVE-2026-29782 HIGH - 7.2

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET paramete...

Vendor: composer
Product: devcode-it/openstamanager
Published: Apr 01, 2026
Source: GitHub
CVE-2026-28805 HIGH - 8.8

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $super...

Vendor: composer
Product: devcode-it/openstamanager
Published: Apr 01, 2026
Source: GitHub
CVE-2026-34874 HIGH - 7.5

An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-25835 HIGH - 7.7

Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-25833 HIGH - 7.5

Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-34445 HIGH - 8.6

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the...

Vendor: onnx
Product: onnx
Published: Apr 01, 2026
Source: NVD
CVE-2026-34376 HIGH - 7.5

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without comple...

Vendor: mrmn2
Product: PdfDing
Published: Apr 01, 2026
Source: NVD
CVE-2026-34236 HIGH - 8.2

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cook...

Vendor: auth0
Product: auth0-PHP
Published: Apr 01, 2026
Source: NVD
CVE-2026-34222 HIGH - 7.7

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

Vendor: open-webui
Product: open-webui
Published: Apr 01, 2026
Source: NVD
CVE-2026-34072 HIGH - 8.3

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

Vendor: fccview
Product: cronmaster
Published: Apr 01, 2026
Source: NVD
CVE-2026-30273 HIGH - 7.3

pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.

Vendor: gabrieleventuri
Product: pandasai
Published: Apr 01, 2026
Source: NVD
CVE-2026-20155 HIGH - 8.0

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization ...

Vendor: Cisco
Product: Cisco Evolved Programmable Network Manager (EPNM)
Published: Apr 01, 2026
Source: NVD
CVE-2026-20151 HIGH - 7.3

A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit thi...

Vendor: Cisco
Product: Cisco Smart Software Manager On-Prem
Published: Apr 01, 2026
Source: NVD
CVE-2026-20094 HIGH - 8.8

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with read-only privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation o...

Vendor: Cisco
Product: Cisco Unified Computing System (Standalone), Cisco Unified Computing System E-Series Software (UCSE)
Published: Apr 01, 2026
Source: NVD
CVE-2026-4924 HIGH - 8.2

Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated sessi...

Vendor: devolutions
Product: devolutions_server
Published: Apr 01, 2026
Source: NVD
CVE-2026-4828 HIGH - 8.2

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

Vendor: devolutions
Product: devolutions_server
Published: Apr 01, 2026
Source: NVD