Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,377
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 19,121 - 19,140 of 39,155 CVEs
CVE-2026-6620 MEDIUM - 6.3

A vulnerability was found in SonicCloudOrg sonic-server up to 2.0.0. The affected element is the function Upload of the file FileTool.java of the component File Upload Endpoint. The manipulation of the argument Type results in path traversal. The attack may be launched remotely. The exploit has been...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6619 LOW - 3.5

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiat...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6618 MEDIUM - 6.3

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. T...

Published: Apr 20, 2026
Source: NVD
CVE-2026-5967 HIGH - 8.8

ThreatSonar Anti-Ransomware developed by TeamT5 has an Privilege Escalation vulnerability. Authenticated remote attackers with shell access can inject OS commands and execute them with root privileges.

Published: Apr 20, 2026
Source: NVD
CVE-2026-39454 HIGH - 7.8

SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installation folder of the product. As a result, arbitrary code may be e...

Vendor: Sky Co.,LTD.
Product: SKYSEA Client View, SKYMEC IT Manager
Published: Apr 20, 2026
Source: NVD
CVE-2026-6617 MEDIUM - 6.3

A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function get_api_tool_provider_remote_schema of the file api/services/tools/api_tools_manage_service.py of the component ApiToolManageService. Performing a manipulation of the argument url results in server-s...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6616 MEDIUM - 6.3

A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract_with_bs4/extract_with_3k/extract_with_lxml of the file superagi/helper/webpage_extractor.py of the component WebScraperTool. Such manipulation leads to server-side request forger...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6615 HIGH - 7.3

A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is possible to initiate ...

Published: Apr 20, 2026
Source: NVD
CVE-2026-5966 HIGH - 8.1

ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system.

Published: Apr 20, 2026
Source: NVD
CVE-2026-5964 CRITICAL - 9.8

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Published: Apr 20, 2026
Source: NVD
CVE-2026-5963 CRITICAL - 9.8

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Published: Apr 20, 2026
Source: NVD
CVE-2026-41282 MEDIUM - 4.0

ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).

Vendor: ProjectDiscovery
Product: Nuclei
Published: Apr 20, 2026
Source: NVD
CVE-2026-6644 CRITICAL - 9.1

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied in...

Vendor: asustor
Product: data_master
Published: Apr 20, 2026
Source: NVD
CVE-2026-6643 CRITICAL - 9.9

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to ex...

Vendor: asustor
Product: data_master
Published: Apr 20, 2026
Source: NVD
CVE-2026-6614 MEDIUM - 6.3

A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be perfor...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6613 MEDIUM - 6.3

A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to authorization bypass. The attack is possible to be carried o...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6612 MEDIUM - 6.3

A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This impacts the function get_agent_execution/update_agent_execution of the file superagi/controllers/agent_execution.py of the component Agent Execution Endpoint. Executing a manipulation of the argument agent_execution_id ...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6611 LOW - 3.1

A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key . Remote exploitation of...

Published: Apr 20, 2026
Source: NVD
CVE-2024-7083 LOW - 3.5

The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: Apr 20, 2026
Source: NVD
CVE-2026-6610 LOW - 3.7

A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack may be launched remote...

Published: Apr 20, 2026
Source: NVD