Total CVEs

142,714

Critical Severity

4,025

High Severity

14,400

Last 7 Days

1,388
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 19,021 - 19,040 of 39,119 CVEs
CVE-2026-40488 HIGH - 8.8

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete bloc...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-40098 MEDIUM - 5.4

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sha...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-35154 MEDIUM - 6.3

Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could poten...

Vendor: Dell
Product: PowerProtect Data Domain appliances
Published: Apr 20, 2026
Source: NVD
CVE-2026-30269 CRITICAL - 9.9

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privil...

Vendor: doorman
Product: doorman
Published: Apr 20, 2026
Source: NVD
CVE-2026-30266 HIGH - 7.8

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file

Vendor: deepcool
Product: deepcreative
Published: Apr 20, 2026
Source: NVD
CVE-2026-28684 MEDIUM - 6.6

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when ...

Vendor: theskumar
Product: python-dotenv
Published: Apr 20, 2026
Source: NVD
CVE-2026-26951 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a stack-based buffer overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerab...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-26943 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-26942 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-25525 MEDIUM - 4.9

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replac...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-25524 HIGH - 8.1

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` ...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-24506 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-24505 HIGH - 7.2

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-24504 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerab...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-22761 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2025-66954 MEDIUM - 6.5

A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is triggered by modifying a parameter within requests sent to the /nasapi endpoint.

Published: Apr 20, 2026
Source: NVD
CVE-2026-6652 MEDIUM - 4.7

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote ex...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6651 LOW - 2.4

A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been releas...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6650 MEDIUM - 4.7

A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6066 HIGH - 7.1

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traf...

Vendor: connectwise
Product: automate
Published: Apr 20, 2026
Source: NVD