Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,911
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 16,501 - 16,520 of 38,655 CVEs
CVE-2025-14543 CRITICAL - 9.1

Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3...

Vendor: RTI
Product: Connext Professional
Published: Apr 30, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12494. Reason: This candidate is a reservation duplicate of CVE-2025-12494. Notes: All CVE users should reference CVE-2025-12494 instead of this candidate. All references and descriptions in this candidate have been...

Published: Apr 30, 2026
Source: NVD
CVE-2026-7500 MEDIUM - 5.4

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` ...

Vendor: redhat
Product: build_of_keycloak
Published: Apr 30, 2026
Source: NVD
CVE-2026-36959 HIGH - 7.5

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized ...

Vendor: u-speed
Product: n300_firmware
Published: Apr 30, 2026
Source: NVD
CVE-2026-36958 HIGH - 7.5

A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the ro...

Vendor: u-speed
Product: n300_firmware
Published: Apr 30, 2026
Source: NVD
CVE-2026-36957 HIGH - 7.5

Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffer...

Vendor: dbitnet
Product: dbit_n300_t1_pro_firmware
Published: Apr 30, 2026
Source: NVD
CVE-2026-36956 HIGH - 8.8

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An a...

Vendor: dbitnet
Product: dbit_n300_t1_pro_firmware
Published: Apr 30, 2026
Source: NVD
CVE-2026-7246 HIGH - 7.2

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Vendor: palletsprojects
Product: click
Published: Apr 30, 2026
Source: NVD
CVE-2026-7163 MEDIUM - 6.1

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hu...

Vendor: redhat
Product: multicluster_engine_for_kubernetes
Published: Apr 30, 2026
Source: NVD
CVE-2026-2892 HIGH - 7.5

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated u...

Published: Apr 30, 2026
Source: NVD
CVE-2026-7402 HIGH - 8.1

Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

Published: Apr 30, 2026
Source: NVD
CVE-2026-7399 HIGH - 8.1

Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

Published: Apr 30, 2026
Source: NVD
CVE-2026-7382 MEDIUM - 6.5

Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

Published: Apr 30, 2026
Source: NVD
CVE-2025-14576 HIGH - 7.8

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service,...

Vendor: The Qt Company
Product: Qt
Published: Apr 30, 2026
Source: NVD
CVE-2024-13971 HIGH - 7.5

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Vendor: Lobster GmbH
Product: Lobster_pro
Published: Apr 30, 2026
Source: NVD
CVE-2026-5080 MEDIUM - 5.9

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-...

Vendor: perldancer
Product: dancer\
Published: Apr 30, 2026
Source: NVD
CVE-2026-41882 HIGH - 7.4

In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server

Vendor: JetBrains
Product: IntelliJ IDEA
Published: Apr 30, 2026
Source: NVD
CVE-2026-31693 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on replay In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary re...

Vendor: Linux
Product: Linux
Published: Apr 30, 2026
Source: NVD
CVE-2026-1493 MEDIUM - 5.4

LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can p...

Vendor: wolterskluwer
Product: lex_baza_dokumentow
Published: Apr 30, 2026
Source: NVD
CVE-2026-31787 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma...

Vendor: Linux
Product: Linux
Published: Apr 30, 2026
Source: NVD