Total CVEs

143,818

Critical Severity

4,094

High Severity

14,786

Last 7 Days

1,521
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 19,761 - 19,780 of 40,223 CVEs

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every inco...

Vendor: datasharingframework, dev.dsf
Product: dsf, dsf-bpe-process-api-v2, dsf-bpe-server
Published: Apr 21, 2026
Source: NVD

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This ...

Vendor: datasharingframework, dev.dsf
Product: dsf, dsf-bpe-server, dsf-common-jetty, dsf-fhir-server
Published: Apr 21, 2026
Source: NVD
CVE-2026-40706 HIGH - 8.4

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when pr...

Vendor: Tuxera
Product: NTFS-3G
Published: Apr 21, 2026
Source: NVD
CVE-2026-1354 MEDIUM - 6.4

Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first ...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6823 HIGH - 8.2

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls a...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6797 MEDIUM - 4.3

A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to laun...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6796 MEDIUM - 4.3

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext sto...

Published: Apr 21, 2026
Source: NVD
CVE-2026-40938 HIGH - 7.5

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git pa...

Vendor: tektoncd
Product: pipeline
Published: Apr 21, 2026
Source: NVD
CVE-2026-40927 MEDIUM - 5.4

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.

Vendor: docmost
Product: docmost
Published: Apr 21, 2026
Source: NVD
CVE-2026-40925 HIGH - 8.3

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40924 MEDIUM - 6.5

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference t...

Vendor: tektoncd
Product: pipeline
Published: Apr 21, 2026
Source: NVD
CVE-2026-40923 MEDIUM - 5.4

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strin...

Vendor: tektoncd
Product: pipeline
Published: Apr 21, 2026
Source: NVD
CVE-2026-40911 CRITICAL - 10.0

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains t...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40910 MEDIUM - 6.5

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend...

Vendor: fatedier
Product: frp
Published: Apr 21, 2026
Source: NVD
CVE-2026-40906 CRITICAL - 9.9

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORD...

Vendor: electric-sql
Product: electric
Published: Apr 21, 2026
Source: NVD
CVE-2026-40905 HIGH - 8.1

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipu...

Vendor: Kovah
Product: LinkAce
Published: Apr 21, 2026
Source: NVD
CVE-2026-40895 HIGH - 7.5

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cooki...

Vendor: follow-redirects
Product: follow-redirects
Published: Apr 21, 2026
Source: NVD
CVE-2026-40892 CRITICAL - 9.8

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data...

Vendor: pjsip
Product: pjproject
Published: Apr 21, 2026
Source: NVD
CVE-2026-35252 MEDIUM - 6.4

Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle S...

Vendor: oracle
Product: fusion_middleware
Published: Apr 21, 2026
Source: NVD
CVE-2026-35251 HIGH - 7.5

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...

Vendor: oracle
Product: vm_virtualbox
Published: Apr 21, 2026
Source: NVD