Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,421
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 19,061 - 19,080 of 39,155 CVEs
CVE-2026-30266 HIGH - 7.8

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file

Vendor: deepcool
Product: deepcreative
Published: Apr 20, 2026
Source: NVD
CVE-2026-28684 MEDIUM - 6.6

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when ...

Vendor: theskumar
Product: python-dotenv
Published: Apr 20, 2026
Source: NVD
CVE-2026-26951 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a stack-based buffer overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerab...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-26943 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-26942 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-25525 MEDIUM - 4.9

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replac...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-25524 HIGH - 8.1

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` ...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-24506 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-24505 HIGH - 7.2

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-24504 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerab...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2026-22761 MEDIUM - 6.7

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 20, 2026
Source: NVD
CVE-2025-66954 MEDIUM - 6.5

A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is triggered by modifying a parameter within requests sent to the /nasapi endpoint.

Published: Apr 20, 2026
Source: NVD
CVE-2026-6652 MEDIUM - 4.7

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote ex...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6651 LOW - 2.4

A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been releas...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6650 MEDIUM - 4.7

A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6066 HIGH - 7.1

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traf...

Vendor: connectwise
Product: automate
Published: Apr 20, 2026
Source: NVD
CVE-2026-41245 MEDIUM - 5.9

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the...

Vendor: junrar
Product: junrar
Published: Apr 20, 2026
Source: NVD
CVE-2026-40896 MEDIUM - 6.5

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target p...

Vendor: opf
Product: openproject
Published: Apr 20, 2026
Source: NVD

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proce...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39918 CRITICAL - 9.8

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the ...

Vendor: givanz
Product: Vvveb
Published: Apr 20, 2026
Source: NVD