Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,318
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 19,221 - 19,240 of 39,155 CVEs

editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted direct...

Vendor: editorconfig
Product: editorconfig-core-c
Published: Apr 18, 2026
Source: NVD
CVE-2026-40487 HIGH - 8.9

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a C...

Vendor: gitroomhq
Product: postiz-app
Published: Apr 18, 2026
Source: NVD
CVE-2026-1838 MEDIUM - 6.1

The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary ...

Published: Apr 18, 2026
Source: NVD
CVE-2026-1559 MEDIUM - 6.4

The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-lev...

Published: Apr 18, 2026
Source: NVD
CVE-2026-40572 CRITICAL - 9.0

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kern...

Vendor: MinecAnton209
Product: NovumOS
Published: Apr 18, 2026
Source: NVD
CVE-2026-40350 HIGH - 8.8

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the rout...

Vendor: leepeuker
Product: movary
Published: Apr 18, 2026
Source: NVD
CVE-2026-40317 CRITICAL - 9.3

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitra...

Vendor: MinecAnton209
Product: NovumOS
Published: Apr 18, 2026
Source: NVD
CVE-2026-35465 HIGH - 7.5

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper ...

Vendor: freedomofpress
Product: securedrop-client
Published: Apr 18, 2026
Source: NVD
CVE-2026-41078 MEDIUM - 5.9

OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high...

Vendor: nuget
Product: OpenTelemetry.Exporter.Jaeger
Published: Apr 18, 2026
Source: GitHub
CVE-2026-40881 MEDIUM - 7.5

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB mess...

Vendor: rust
Product: zebrad
Published: Apr 18, 2026
Source: GitHub
CVE-2026-40880 HIGH - 8.1

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 ...

Vendor: rust
Product: zebra-consensus
Published: Apr 18, 2026
Source: GitHub
CVE-2026-40593 MEDIUM - 4.8

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking charact...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authenticatio...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD
CVE-2026-40581 HIGH - 8.1

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a ...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD
CVE-2026-40485 MEDIUM - 5.3

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An una...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD
CVE-2026-40484 CRITICAL - 9.1

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file exte...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD
CVE-2026-40483 MEDIUM - 5.4

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking cha...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API laye...

Vendor: ChurchCRM
Product: CRM
Published: Apr 18, 2026
Source: NVD
CVE-2026-40349 HIGH - 8.8

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a...

Vendor: leepeuker
Product: movary
Published: Apr 18, 2026
Source: NVD