Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11346
Total
769
Critical
3260
High
3665
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42138 | UNKNOWN | — | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file … | May 04, 2026 |
| CVE-2026-42092 | MEDIUM | 6.5 | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. … | May 04, 2026 |
| CVE-2026-42091 | MEDIUM | 6.5 | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to … | May 04, 2026 |
| CVE-2026-42088 | CRITICAL | 9.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script … | May 04, 2026 |
| CVE-2026-42087 | CRITICAL | 9.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version … | May 04, 2026 |
| CVE-2026-42086 | MEDIUM | 4.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command … | May 04, 2026 |
| CVE-2026-42085 | MEDIUM | 4.3 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, … | May 04, 2026 |
| CVE-2026-42084 | HIGH | 8.1 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, … | May 04, 2026 |
| CVE-2026-42052 | UNKNOWN | — | Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted … | May 04, 2026 |
| CVE-2026-41572 | MEDIUM | 5.3 | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay … | May 04, 2026 |
| CVE-2026-41571 | CRITICAL | 9.4 | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no … | May 04, 2026 |
| CVE-2026-41471 | HIGH | 7.5 | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows … | May 04, 2026 |
| CVE-2026-37459 | HIGH | 7.5 | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | May 04, 2026 |
| CVE-2026-32834 | HIGH | 7.5 | Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that … | May 04, 2026 |
| CVE-2026-2828 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | May 04, 2026 |
| CVE-2026-29004 | HIGH | 8.1 | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to … | May 04, 2026 |
| CVE-2026-0073 | HIGH | 8.8 | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead … | May 04, 2026 |
| CVE-2026-42812 | CRITICAL | 9.9 | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to … | May 04, 2026 |
| CVE-2026-42811 | CRITICAL | 9.9 | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table … | May 04, 2026 |
| CVE-2026-42810 | CRITICAL | 9.9 | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same … | May 04, 2026 |
| CVE-2026-42809 | CRITICAL | 9.9 | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those … | May 04, 2026 |
| CVE-2026-42440 | HIGH | 7.5 | OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and … | May 04, 2026 |
| CVE-2026-42376 | CRITICAL | 9.8 | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username … | May 04, 2026 |
| CVE-2026-42375 | CRITICAL | 9.8 | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" … | May 04, 2026 |
| CVE-2026-42374 | CRITICAL | 9.8 | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" … | May 04, 2026 |