Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,904
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,721 - 16,740 of 38,923 CVEs
CVE-2026-40601 HIGH - 7.5

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the tar...

Vendor: chartbrew
Product: chartbrew
Published: Apr 30, 2026
Source: NVD
CVE-2026-40600 HIGH - 8.1

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected ...

Vendor: chartbrew
Product: chartbrew
Published: Apr 30, 2026
Source: NVD
CVE-2026-40595 HIGH - 7.5

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The r...

Vendor: chartbrew
Product: chartbrew
Published: Apr 30, 2026
Source: NVD
CVE-2026-35514 MEDIUM - 6.5

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint ...

Vendor: chartbrew
Product: chartbrew
Published: Apr 30, 2026
Source: NVD
CVE-2026-32148 MEDIUM - 5.9

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.R...

Vendor: hexpm
Product: hex
Published: Apr 30, 2026
Source: NVD
CVE-2026-42191 MEDIUM - 6.5

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set ...

Vendor: nuget
Product: OpenTelemetry.Exporter.OpenTelemetryProtocol
Published: Apr 30, 2026
Source: GitHub

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be f...

Vendor: npm
Product: @clerk/shared
Published: Apr 30, 2026
Source: GitHub
CVE-2026-3833 MEDIUM - 6.5

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting ...

Vendor: gnu
Product: gnutls
Published: Apr 30, 2026
Source: NVD
CVE-2026-3832 LOW - 3.7

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enable...

Published: Apr 30, 2026
Source: NVD
CVE-2026-36766 MEDIUM - 5.4

Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36765 HIGH - 8.8

An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36763 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36762 HIGH - 8.8

An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36761 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.

Published: Apr 30, 2026
Source: NVD
CVE-2026-33845 HIGH - 7.5

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat Hardened Images, Red Hat OpenShift Container Platform 4
Published: Apr 30, 2026
Source: NVD
CVE-2026-42449 HIGH - 8.5

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSR...

Vendor: npm
Product: n8n-mcp
Published: Apr 30, 2026
Source: GitHub
CVE-2026-42032 MEDIUM - 9.1

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information This vulnerabilit...

Vendor: pip
Product: ckan
Published: Apr 30, 2026
Source: GitHub
CVE-2026-41654 MEDIUM - 8.1

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-...

Vendor: pip
Product: weblate
Published: Apr 30, 2026
Source: GitHub
CVE-2026-41519 MEDIUM - 4.2

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has ...

Vendor: pip
Product: weblate
Published: Apr 30, 2026
Source: GitHub
CVE-2026-40281 CRITICAL - 10.0

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate argum...

Vendor: go
Product: github.com/gotenberg/gotenberg/v8
Published: Apr 30, 2026
Source: GitHub