Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,421
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,201 - 17,220 of 39,155 CVEs
CVE-2026-40229 MEDIUM - 5.4

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notifica...

Vendor: helpyio
Product: helpy
Published: Apr 29, 2026
Source: NVD
CVE-2026-38993 MEDIUM - 6.5

Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

Published: Apr 29, 2026
Source: NVD
CVE-2026-38991 HIGH - 8.8

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code t...

Published: Apr 29, 2026
Source: NVD
CVE-2026-37555 HIGH - 7.5

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before bein...

Vendor: libsndfile_project
Product: libsndfile
Published: Apr 29, 2026
Source: NVD
CVE-2026-30769 HIGH - 7.8

An issue in the TVicPort64.sys component of EnTech Taiwan TVicPort Product v4.0, File v5.2.1.0 allows attackers to escalate privileges via sending crafted IOCTL 0x80002008 requests.

Vendor: entechtaiwan
Product: tvicport
Published: Apr 29, 2026
Source: NVD

Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful expl...

Published: Apr 29, 2026
Source: NVD
CVE-2025-56537 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.

Vendor: opennebula
Product: opennebula
Published: Apr 29, 2026
Source: NVD
CVE-2025-56536 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.

Vendor: opennebula
Product: opennebula
Published: Apr 29, 2026
Source: NVD
CVE-2025-56535 MEDIUM - 6.1

A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.

Vendor: opennebula
Product: opennebula
Published: Apr 29, 2026
Source: NVD
CVE-2025-56534 MEDIUM - 6.1

A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Vendor: opennebula
Product: opennebula
Published: Apr 29, 2026
Source: NVD
CVE-2026-7384 HIGH - 7.3

A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c. This impacts the function search_papers of the file research_server.py. Performing a manipulation of the argument topic results in path traversal. Remote exploitati...

Published: Apr 29, 2026
Source: NVD
CVE-2026-7111 HIGH - 8.4

Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or ...

Vendor: hmbrand
Product: text\
Published: Apr 29, 2026
Source: NVD
CVE-2026-5161 HIGH - 8.8

Improper link resolution before file access ('link following') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack. This issue affects Pardus About: before v1.2.1.

Published: Apr 29, 2026
Source: NVD
CVE-2026-5141 HIGH - 8.8

Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affects Pardus Software Center: from 1.0.2 before 1.0.3.

Published: Apr 29, 2026
Source: NVD
CVE-2026-41952 HIGH - 7.8

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Vendor: Acronis
Product: Acronis DeviceLock DLP, Acronis Cyber Protect Cloud Agent
Published: Apr 29, 2026
Source: NVD
CVE-2026-41220 HIGH - 7.8

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Vendor: Acronis
Product: Acronis DeviceLock DLP, Acronis Cyber Protect Cloud Agent
Published: Apr 29, 2026
Source: NVD
CVE-2026-38992 CRITICAL - 9.8

Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.

Published: Apr 29, 2026
Source: NVD
CVE-2026-36841 CRITICAL - 9.8

TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.

Published: Apr 29, 2026
Source: NVD
CVE-2026-36837 HIGH - 7.5

TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.

Published: Apr 29, 2026
Source: NVD
CVE-2026-25852 MEDIUM - 6.7

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.

Vendor: Acronis
Product: Acronis DeviceLock DLP
Published: Apr 29, 2026
Source: NVD