Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,893
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,741 - 16,760 of 38,923 CVEs

In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-...

Vendor: npm
Product: @jupyter-notebook/help-extension
Published: Apr 30, 2026
Source: GitHub
CVE-2026-39383 HIGH - 8.6

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The F...

Vendor: go
Product: github.com/gotenberg/gotenberg/v8
Published: Apr 30, 2026
Source: GitHub
CVE-2026-40280 CRITICAL - 9.3

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() norma...

Vendor: go
Product: github.com/gotenberg/gotenberg/v8
Published: Apr 30, 2026
Source: GitHub
CVE-2026-36767 CRITICAL - 10.0

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36764 MEDIUM - 5.0

A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36760 CRITICAL - 9.6

An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36757 MEDIUM - 4.3

A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

Published: Apr 30, 2026
Source: NVD
CVE-2025-71284 CRITICAL - 9.8

Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can i...

Vendor: Synway Information Engineering Co., Ltd.
Product: Synway SMG Gateway Management Software
Published: Apr 30, 2026
Source: NVD
CVE-2025-51846 HIGH - 7.5

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

Vendor: CryptPad
Product: CryptPad
Published: Apr 30, 2026
Source: NVD
CVE-2022-50993 CRITICAL - 9.8

Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Att...

Vendor: Weaver Network Co., Ltd.
Product: E-office
Published: Apr 30, 2026
Source: NVD
CVE-2022-50992 HIGH - 7.5

Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowServi...

Vendor: Weaver Network Co., Ltd.
Product: E-cology
Published: Apr 30, 2026
Source: NVD
CVE-2026-5174 HIGH - 7.7

Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

Vendor: progress
Product: moveit_automation
Published: Apr 30, 2026
Source: NVD
CVE-2026-4670 CRITICAL - 9.8

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

Vendor: progress
Product: moveit_automation
Published: Apr 30, 2026
Source: NVD
CVE-2026-38940 MEDIUM - 6.1

Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component

Published: Apr 30, 2026
Source: NVD
CVE-2026-38939 MEDIUM - 6.1

Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component

Published: Apr 30, 2026
Source: NVD
CVE-2026-36960 HIGH - 8.8

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a...

Published: Apr 30, 2026
Source: NVD
CVE-2026-36759 MEDIUM - 6.5

A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36758 MEDIUM - 4.3

A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36756 MEDIUM - 5.4

A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

Published: Apr 30, 2026
Source: NVD
CVE-2026-36340 HIGH - 8.1

An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function

Published: Apr 30, 2026
Source: NVD