Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,893
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 18,101 - 18,120 of 38,923 CVEs
CVE-2026-41459 MEDIUM - 5.3

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value re...

Vendor: thexerteproject
Product: xerteonlinetoolkits
Published: Apr 22, 2026
Source: NVD
CVE-2026-34415 CRITICAL - 9.8

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication ...

Vendor: thexerteproject
Product: xerteonlinetoolkits
Published: Apr 22, 2026
Source: NVD
CVE-2026-34414 HIGH - 7.1

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value contai...

Vendor: thexerteproject
Product: xerteonlinetoolkits
Published: Apr 22, 2026
Source: NVD
CVE-2026-34413 HIGH - 8.6

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the ...

Vendor: thexerteproject
Product: xerteonlinetoolkits
Published: Apr 22, 2026
Source: NVD
CVE-2026-28950 MEDIUM - 6.2

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.

Vendor: Apple
Product: iOS and iPadOS
Published: Apr 22, 2026
Source: NVD
CVE-2026-26354 HIGH - 8.1

Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain a stack-based Buffer Overflow vulnerability. An unauthenticated attacker ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 22, 2026
Source: NVD
CVE-2026-41422 HIGH - 8.3

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() โ€” a raw SQL literal expression builder โ€” without any validation. This bypassed all parameterization and allowed authe...

Vendor: go
Product: github.com/daptin/daptin
Published: Apr 22, 2026
Source: GitHub
CVE-2026-41240 MEDIUM - 6.1

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not app...

Vendor: npm
Product: dompurify
Published: Apr 22, 2026
Source: GitHub
CVE-2026-41239 MEDIUM - 6.8

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS v...

Vendor: npm
Product: dompurify
Published: Apr 22, 2026
Source: GitHub
CVE-2026-41238 MEDIUM - 6.9

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior proto...

Vendor: npm
Product: dompurify
Published: Apr 22, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: Apr 22, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user wi...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: Apr 22, 2026
Source: GitHub
CVE-2026-41201 MEDIUM - 6.8

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated v...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: Apr 22, 2026
Source: GitHub
CVE-2026-6515 MEDIUM - 5.4

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD
CVE-2026-5816 HIGH - 8.0

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD
CVE-2026-5377 MEDIUM - 4.3

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD
CVE-2026-5262 HIGH - 8.0

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input val...

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD
CVE-2026-4922 HIGH - 8.1

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD
CVE-2026-3254 LOW - 3.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD

Rejected reason: Voluntarily withdrawn

Published: Apr 22, 2026
Source: NVD