Total CVEs

143,746

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,542
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 881 - 900 of 1,590 CVEs

Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability.

Vendor: Samsung Mobile
Product: Samsung Camera
Published: Apr 13, 2026
Source: NVD

External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Apr 13, 2026
Source: NVD

Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Apr 13, 2026
Source: NVD
CVE-2026-6162 LOW - 3.5

A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0. This impacts an unknown function of the file /bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has b...

Published: Apr 13, 2026
Source: NVD

UAF vulnerability in the screen management module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Apr 13, 2026
Source: NVD

Race condition vulnerability in the event notification module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Apr 13, 2026
Source: NVD

Race condition vulnerability in the notification service. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Apr 13, 2026
Source: NVD
CVE-2026-6107 LOW - 3.5

A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attac...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6106 LOW - 3.5

A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting....

Published: Apr 11, 2026
Source: NVD

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Vendor: Flatpak
Product: xdg-desktop-portal
Published: Apr 11, 2026
Source: NVD

phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circ...

Vendor: phpseclib
Product: phpseclib
Published: Apr 10, 2026
Source: NVD

TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.

Vendor: mauriceboe
Product: TREK
Published: Apr 10, 2026
Source: NVD

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension...

Vendor: smallstep
Product: certificates
Published: Apr 10, 2026
Source: NVD

OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 10, 2026
Source: NVD

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Vendor: systemd
Product: systemd
Published: Apr 10, 2026
Source: NVD
CVE-2026-6042 LOW - 3.3

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix thi...

Published: Apr 10, 2026
Source: NVD
CVE-2026-6003 LOW - 2.4

A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fname leads to cross site scripting. The attack may be performed from remote. The exploit has been dis...

Published: Apr 10, 2026
Source: NVD

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role ma...

Vendor: OpenStack
Product: Keystone
Published: Apr 10, 2026
Source: NVD

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any vali...

Vendor: fluxcd
Product: notification-controller
Published: Apr 09, 2026
Source: NVD

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know t...

Vendor: henrygd
Product: beszel
Published: Apr 09, 2026
Source: NVD