Total CVEs

142,714

Critical Severity

4,025

High Severity

14,400

Last 7 Days

1,388
Quick preset (or use dates below)
Clear Filters
šŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 19,001 - 19,020 of 39,119 CVEs
CVE-2026-32311 CRITICAL - 9.8

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relat...

Vendor: reconurge
Product: flowsint
Published: Apr 20, 2026
Source: NVD
CVE-2026-32135 HIGH - 7.5

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter...

Vendor: nanomq
Product: nanomq
Published: Apr 20, 2026
Source: NVD
CVE-2026-29649 CRITICAL - 9.8

NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead ...

Vendor: xiangshan
Product: nemu
Published: Apr 20, 2026
Source: NVD
CVE-2026-29645 HIGH - 7.5

NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted a...

Vendor: xiangshan
Product: nemu
Published: Apr 20, 2026
Source: NVD
CVE-2026-6248 HIGH - 8.1

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store a...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6060 MEDIUM - 4.5

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:Ā  * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X

Published: Apr 20, 2026
Source: NVD

Rejected reason: This CVE id was assigned as a duplicate of CVE-2025-66414.

Published: Apr 20, 2026
Source: NVD
CVE-2026-41389 MEDIUM - 5.8

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosi...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 20, 2026
Source: NVD
CVE-2026-39112 MEDIUM - 5.4

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in manage-newvisitor...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39111 HIGH - 7.5

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries and retrieve sensitive user data.

Published: Apr 20, 2026
Source: NVD
CVE-2026-39110 HIGH - 8.2

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sen...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39109 CRITICAL - 9.4

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database c...

Published: Apr 20, 2026
Source: NVD
CVE-2026-26399 MEDIUM - 5.3

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the functio...

Published: Apr 20, 2026
Source: NVD
CVE-2026-23758 MEDIUM - 5.4

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Cont...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23757 MEDIUM - 5.4

GFI HelpDesk before 4.99.10Ā contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a re...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23756 MEDIUM - 5.4

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can in...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23753 MEDIUM - 4.8

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An a...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23752 MEDIUM - 4.8

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inj...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-6662 HIGH - 7.3

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remote...

Published: Apr 20, 2026
Source: NVD
CVE-2026-41445 HIGH - 8.8

KissFFT before commitĀ 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc()...

Vendor: mborgerding
Product: kissfft
Published: Apr 20, 2026
Source: NVD