Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,707
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 16,181 - 16,200 of 38,432 CVEs
CVE-2026-7506 HIGH - 7.3

A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the publ...

Published: Apr 30, 2026
Source: NVD
CVE-2026-7505 HIGH - 7.3

A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9...

Published: Apr 30, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Apr 30, 2026
Source: NVD
CVE-2026-28909 MEDIUM - 6.5

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.

Vendor: Apple
Product: macOS
Published: Apr 30, 2026
Source: NVD
CVE-2026-7551 HIGH - 8.8

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to...

Vendor: hkuds
Product: openharness
Published: Apr 30, 2026
Source: NVD
CVE-2026-7503 HIGH - 8.8

A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be laun...

Published: Apr 30, 2026
Source: NVD
CVE-2026-7502 MEDIUM - 5.4

A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Management Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remote...

Published: Apr 30, 2026
Source: NVD
CVE-2026-6543 HIGH - 8.8

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal networ...

Published: Apr 30, 2026
Source: NVD
CVE-2026-6542 MEDIUM - 6.5

IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.

Vendor: langflow
Product: langflow
Published: Apr 30, 2026
Source: NVD
CVE-2026-6389 HIGH - 8.8

IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, es...

Vendor: ibm
Product: turbonomic_prometurbo_agent
Published: Apr 30, 2026
Source: NVD
CVE-2026-40687 MEDIUM - 4.8

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

Vendor: Exim
Product: Exim
Published: Apr 30, 2026
Source: NVD

In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.

Vendor: Exim
Product: Exim
Published: Apr 30, 2026
Source: NVD
CVE-2026-40685 MEDIUM - 6.5

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

Vendor: Exim
Product: Exim
Published: Apr 30, 2026
Source: NVD
CVE-2026-40684 MEDIUM - 5.9

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

Vendor: Exim
Product: Exim
Published: Apr 30, 2026
Source: NVD
CVE-2026-3345 MEDIUM - 6.5

IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Published: Apr 30, 2026
Source: NVD
CVE-2026-2311 MEDIUM - 6.4

IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check.  A malicious actor could cause user-controlled code to run with administrator privilege.

Vendor: ibm
Product: i
Published: Apr 30, 2026
Source: NVD
CVE-2026-1577 MEDIUM - 6.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.

Vendor: ibm
Product: db2
Published: Apr 30, 2026
Source: NVD
CVE-2025-36335 MEDIUM - 6.2

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.

Vendor: IBM
Product: watsonx.data intelligence
Published: Apr 30, 2026
Source: NVD
CVE-2025-36180 MEDIUM - 5.3

IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions.

Vendor: IBM
Product: watsonx.data
Published: Apr 30, 2026
Source: NVD
CVE-2025-36122 MEDIUM - 6.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.

Vendor: IBM
Product: Db2
Published: Apr 30, 2026
Source: NVD