Total CVEs

143,745

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,550
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 821 - 840 of 1,590 CVEs

A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.

Vendor: CubeCart Limited
Product: CubeCart
Published: Apr 17, 2026
Source: NVD

libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Vendor: libexpat project
Product: libexpat
Published: Apr 16, 2026
Source: NVD
CVE-2026-3155 LOW - 3.1

The OneSignal โ€“ Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscri...

Published: Apr 16, 2026
Source: NVD
CVE-2024-8010 LOW - 3.5

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files fr...

Vendor: wso2
Product: api_manager
Published: Apr 16, 2026
Source: NVD

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when runni...

Vendor: Artifex Software Inc.
Product: MuPDF
Published: Apr 16, 2026
Source: NVD

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Vendor: Yubico
Product: libfido2, python-fido2, yubikey-manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-6313 LOW - 3.1

Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD
CVE-2026-6312 LOW - 3.1

Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, t...

Vendor: apostrophecms
Product: apostrophe
Published: Apr 15, 2026
Source: NVD

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3&...

Vendor: Grafana
Product: Grafana Correlations
Published: Apr 15, 2026
Source: NVD

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so ...

Vendor: WeblateOrg
Product: weblate
Published: Apr 15, 2026
Source: NVD

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. ...

Vendor: Mattermost
Product: Mattermost
Published: Apr 15, 2026
Source: NVD

HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosur...

Vendor: HCL
Product: AION
Published: Apr 15, 2026
Source: NVD

Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout or complexity guard. A crafted regex pattern can trigger catastrophic backtrack...

Vendor: pip
Product: giskard-checks
Published: Apr 14, 2026
Source: GitHub

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be show...

Vendor: go
Product: github.com/oauth2-proxy/oauth2-proxy/v7
Published: Apr 14, 2026
Source: GitHub

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of t...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of t...

Vendor: Adobe
Product: ColdFusion
Published: Apr 14, 2026
Source: NVD

A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentials via client-side inspection.

Vendor: Fortinet
Product: FortiSandbox, FortiSandbox PaaS
Published: Apr 14, 2026
Source: NVD

An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an ar...

Vendor: Fortinet
Product: FortiNAC-F
Published: Apr 14, 2026
Source: NVD

SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.

Published: Apr 14, 2026
Source: NVD