Total CVEs

142,696

Critical Severity

4,021

High Severity

14,390

Last 7 Days

1,406
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 18,821 - 18,840 of 39,101 CVEs
CVE-2026-40567 MEDIUM - 5.8

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and ...

Vendor: freescout-help-desk
Product: freescout
Published: Apr 21, 2026
Source: NVD
CVE-2026-40566 MEDIUM - 4.1

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682...

Vendor: freescout-help-desk
Product: freescout
Published: Apr 21, 2026
Source: NVD

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value โ‰ฅ 0x80), the left-shift ope...

Vendor: bacnet-stack
Product: bacnet-stack
Published: Apr 21, 2026
Source: NVD
CVE-2026-40161 HIGH - 7.7

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or Pi...

Vendor: tektoncd
Product: pipeline
Published: Apr 21, 2026
Source: NVD
CVE-2026-40050 CRITICAL - 9.8

CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability e...

Vendor: CrowdStrike
Product: LogScale Self-Hosted
Published: Apr 21, 2026
Source: NVD
CVE-2026-38835 CRITICAL - 9.8

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Vendor: tenda
Product: w30e_firmware
Published: Apr 21, 2026
Source: NVD
CVE-2026-38834 HIGH - 7.3

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Vendor: tenda
Product: w30e_firmware
Published: Apr 21, 2026
Source: NVD
CVE-2026-35451 MEDIUM - 5.7

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: UR...

Vendor: twentyhq
Product: twenty
Published: Apr 21, 2026
Source: NVD
CVE-2026-30452 MEDIUM - 6.5

Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textp...

Published: Apr 21, 2026
Source: NVD

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access b...

Vendor: octobercms
Product: october
Published: Apr 21, 2026
Source: NVD

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 an...

Vendor: octobercms
Product: october
Published: Apr 21, 2026
Source: NVD
CVE-2026-26274 MEDIUM - 6.6

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup ...

Vendor: octobercms
Product: october
Published: Apr 21, 2026
Source: NVD
CVE-2026-26067 MEDIUM - 4.9

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the com...

Vendor: octobercms
Product: october
Published: Apr 21, 2026
Source: NVD
CVE-2026-25542 MEDIUM - 6.5

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a matc...

Vendor: tektoncd
Product: pipeline
Published: Apr 21, 2026
Source: NVD
CVE-2026-24189 HIGH - 8.2

NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.

Vendor: NVIDIA
Product: CUDA-Q
Published: Apr 21, 2026
Source: NVD
CVE-2026-24177 HIGH - 7.7

NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.

Vendor: NVIDIA
Product: KAI Scheduler
Published: Apr 21, 2026
Source: NVD
CVE-2026-24176 MEDIUM - 4.3

NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.

Vendor: NVIDIA
Product: KAI Scheduler
Published: Apr 21, 2026
Source: NVD

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. ย  This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR...

Vendor: Atlassian
Product: Bamboo Data Center
Published: Apr 21, 2026
Source: NVD

Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write ...

Vendor: Seeyon Internet Software
Product: A8-V5 Collaborative Management Software, A8+ Collaborative Management Software
Published: Apr 21, 2026
Source: NVD
CVE-2026-40565 MEDIUM - 6.1

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first v...

Vendor: freescout-help-desk
Product: freescout
Published: Apr 21, 2026
Source: NVD