Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,297
Quick preset (or use dates below)
Clear Filters
Showing 7,881 - 7,900 of 13,708 CVEs
CVE-2026-34746 HIGH - 7.7

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server...

Vendor: payloadcms
Product: payload
Published: Apr 01, 2026
Source: NVD
CVE-2026-33544 HIGH - 7.7

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent re...

Vendor: go
Product: github.com/steveiliop56/tinyauth
Published: Apr 01, 2026
Source: GitHub
CVE-2026-29782 HIGH - 7.2

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET paramete...

Vendor: composer
Product: devcode-it/openstamanager
Published: Apr 01, 2026
Source: GitHub
CVE-2026-28805 HIGH - 8.8

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $super...

Vendor: composer
Product: devcode-it/openstamanager
Published: Apr 01, 2026
Source: GitHub
CVE-2026-34874 HIGH - 7.5

An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-25835 HIGH - 7.7

Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-25833 HIGH - 7.5

Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function

Vendor: arm
Product: mbed_tls
Published: Apr 01, 2026
Source: NVD
CVE-2026-34445 HIGH - 8.6

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the...

Vendor: onnx
Product: onnx
Published: Apr 01, 2026
Source: NVD
CVE-2026-34376 HIGH - 7.5

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without comple...

Vendor: mrmn2
Product: PdfDing
Published: Apr 01, 2026
Source: NVD
CVE-2026-34236 HIGH - 8.2

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cook...

Vendor: auth0
Product: auth0-PHP
Published: Apr 01, 2026
Source: NVD
CVE-2026-34222 HIGH - 7.7

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

Vendor: open-webui
Product: open-webui
Published: Apr 01, 2026
Source: NVD
CVE-2026-34072 HIGH - 8.3

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

Vendor: fccview
Product: cronmaster
Published: Apr 01, 2026
Source: NVD
CVE-2026-30273 HIGH - 7.3

pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.

Vendor: gabrieleventuri
Product: pandasai
Published: Apr 01, 2026
Source: NVD
CVE-2026-20155 HIGH - 8.0

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization ...

Vendor: Cisco
Product: Cisco Evolved Programmable Network Manager (EPNM)
Published: Apr 01, 2026
Source: NVD
CVE-2026-20151 HIGH - 7.3

A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit thi...

Vendor: Cisco
Product: Cisco Smart Software Manager On-Prem
Published: Apr 01, 2026
Source: NVD
CVE-2026-20094 HIGH - 8.8

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with read-only privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation o...

Vendor: Cisco
Product: Cisco Unified Computing System (Standalone), Cisco Unified Computing System E-Series Software (UCSE)
Published: Apr 01, 2026
Source: NVD
CVE-2026-4924 HIGH - 8.2

Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated sessi...

Vendor: devolutions
Product: devolutions_server
Published: Apr 01, 2026
Source: NVD
CVE-2026-4828 HIGH - 8.2

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

Vendor: devolutions
Product: devolutions_server
Published: Apr 01, 2026
Source: NVD
CVE-2026-35099 HIGH - 7.4

Lakeside SysTrack Agent 11 before 11.5.0.15 has a race condition with resultant Local Privilege Escalation to SYSTEM. The fixed versions are 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15.

Vendor: Lakeside Software
Product: SysTrack Agent
Published: Apr 01, 2026
Source: NVD
CVE-2026-30573 HIGH - 7.5

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for...

Vendor: senior-walter
Product: web-based_pharmacy_product_management_system
Published: Apr 01, 2026
Source: NVD