Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11202
Total
755
Critical
3234
High
3640
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42810 | CRITICAL | 9.9 | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same … | May 04, 2026 |
| CVE-2026-42809 | CRITICAL | 9.9 | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those … | May 04, 2026 |
| CVE-2026-42440 | HIGH | 7.5 | OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and … | May 04, 2026 |
| CVE-2026-42376 | CRITICAL | 9.8 | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username … | May 04, 2026 |
| CVE-2026-42375 | CRITICAL | 9.8 | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" … | May 04, 2026 |
| CVE-2026-42374 | CRITICAL | 9.8 | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" … | May 04, 2026 |
| CVE-2026-42373 | CRITICAL | 9.8 | D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username … | May 04, 2026 |
| CVE-2026-42372 | HIGH | 8.8 | D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username … | May 04, 2026 |
| CVE-2026-42090 | CRITICAL | 9.6 | Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version … | May 04, 2026 |
| CVE-2026-42080 | MEDIUM | 4.6 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has … | May 04, 2026 |
| CVE-2026-42079 | HIGH | 8.6 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated … | May 04, 2026 |
| CVE-2026-42078 | MEDIUM | 4.6 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. … | May 04, 2026 |
| CVE-2026-42077 | MEDIUM | 5.2 | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to … | May 04, 2026 |
| CVE-2026-42076 | CRITICAL | 9.8 | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute … | May 04, 2026 |
| CVE-2026-42075 | HIGH | 8.1 | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers … | May 04, 2026 |
| CVE-2026-42027 | CRITICAL | 9.8 | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by … | May 04, 2026 |
| CVE-2026-40682 | CRITICAL | 9.1 | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static … | May 04, 2026 |
| CVE-2026-38669 | MEDIUM | 6.1 | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | May 04, 2026 |
| CVE-2026-37461 | HIGH | 7.5 | An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP … | May 04, 2026 |
| CVE-2026-29514 | HIGH | 8.8 | NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to … | May 04, 2026 |
| CVE-2026-26956 | CRITICAL | 9.8 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside … | May 04, 2026 |
| CVE-2026-26332 | CRITICAL | 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue … | May 04, 2026 |
| CVE-2026-25293 | CRITICAL | 9.6 | Buffer overflow due to incorrect authorization in PLC FW | May 04, 2026 |
| CVE-2026-25266 | MEDIUM | 5.5 | Memory corruption while processing IOCTL command when device is in power-save state. | May 04, 2026 |
| CVE-2026-24781 | CRITICAL | 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows … | May 04, 2026 |