Total CVEs

142,391

Critical Severity

3,964

High Severity

14,268

Last 7 Days

1,871
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,021 - 17,040 of 38,796 CVEs
CVE-2026-24231 MEDIUM - 6.3

NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL referencing the 0.0.0.0/8 address range through a blueprint configuration file or CLI flag. A successful ex...

Vendor: NVIDIA
Product: NemoClaw
Published: Apr 28, 2026
Source: NVD
CVE-2026-24222 HIGH - 8.6

NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox ...

Vendor: NVIDIA
Product: NemoClaw
Published: Apr 28, 2026
Source: NVD
CVE-2026-24204 MEDIUM - 6.5

NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may lead to information disclosure.

Vendor: NVIDIA
Product: FLARE SDK
Published: Apr 28, 2026
Source: NVD
CVE-2026-24186 HIGH - 8.8

NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.

Vendor: NVIDIA
Product: FLARE SDK
Published: Apr 28, 2026
Source: NVD
CVE-2026-24178 CRITICAL - 9.8

NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information di...

Vendor: NVIDIA
Product: FLARE SDK
Published: Apr 28, 2026
Source: NVD
CVE-2026-41873 CRITICAL - 9.8

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under dev...

Vendor: apache
Product: pony_mail
Published: Apr 28, 2026
Source: NVD
CVE-2026-38948 MEDIUM - 5.4

Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.

Published: Apr 28, 2026
Source: NVD
CVE-2026-38651 HIGH - 8.2

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, g...

Published: Apr 28, 2026
Source: NVD
CVE-2025-60889 CRITICAL - 9.8

Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.

Published: Apr 28, 2026
Source: NVD
CVE-2025-60887 MEDIUM - 5.3

An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, wh...

Published: Apr 28, 2026
Source: NVD
CVE-2026-7324 HIGH - 7.3

Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.

Vendor: mozilla
Product: firefox
Published: Apr 28, 2026
Source: NVD
CVE-2026-7323 HIGH - 7.3

Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 1...

Vendor: mozilla
Product: firefox
Published: Apr 28, 2026
Source: NVD
CVE-2026-7322 HIGH - 7.3

Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0, Thunderbird ESR 140.10.0, Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. T...

Vendor: mozilla
Product: firefox
Published: Apr 28, 2026
Source: NVD
CVE-2026-7321 CRITICAL - 9.6

Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.

Vendor: mozilla
Product: firefox
Published: Apr 28, 2026
Source: NVD
CVE-2026-7320 HIGH - 7.5

Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

Vendor: mozilla
Product: firefox
Published: Apr 28, 2026
Source: NVD
CVE-2026-7289 HIGH - 8.8

A vulnerability was found in D-Link DIR-825M 1.1.12. This issue affects the function sub_414BA8 of the file /boafrm/formWanConfigSetup. The manipulation of the argument submit-url results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.

Vendor: dlink
Product: dir-825m_firmware
Published: Apr 28, 2026
Source: NVD
CVE-2026-7288 HIGH - 8.8

A vulnerability has been found in D-Link DIR-825M 1.1.12. This vulnerability affects the function sub_4151FC of the file /boafrm/formVpnConfigSetup. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to ...

Vendor: dlink
Product: dir-825m_firmware
Published: Apr 28, 2026
Source: NVD
CVE-2026-7283 MEDIUM - 4.7

A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function save_expired of the file /ajax.php?action=save_expired. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has...

Published: Apr 28, 2026
Source: NVD
CVE-2026-7282 MEDIUM - 4.7

A vulnerability was identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function delete_expired of the file /ajax.php?action=delete_expired. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is p...

Published: Apr 28, 2026
Source: NVD

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0....

Vendor: Spring
Product: Spring gRPC
Published: Apr 28, 2026
Source: NVD