Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12600
Total
849
Critical
3629
High
3944
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41485 | HIGH | 7.7 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` … | Apr 24, 2026 |
| CVE-2026-41430 | UNKNOWN | — | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected … | Apr 24, 2026 |
| CVE-2026-41324 | HIGH | 7.5 | basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings … | Apr 24, 2026 |
| CVE-2026-41323 | HIGH | 8.1 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically … | Apr 24, 2026 |
| CVE-2026-41319 | MEDIUM | 6.5 | MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle … | Apr 24, 2026 |
| CVE-2026-41318 | MEDIUM | 5.4 | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's … | Apr 24, 2026 |
| CVE-2026-41068 | HIGH | 7.7 | Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by … | Apr 24, 2026 |
| CVE-2026-2028 | MEDIUM | 5.3 | The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in … | Apr 24, 2026 |
| CVE-2026-41317 | UNKNOWN | — | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to … | Apr 24, 2026 |
| CVE-2026-41316 | HIGH | 8.1 | ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and … | Apr 24, 2026 |
| CVE-2026-41309 | HIGH | 8.2 | Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can … | Apr 24, 2026 |
| CVE-2026-41305 | MEDIUM | 6.1 | PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions … | Apr 24, 2026 |
| CVE-2026-40254 | MEDIUM | 4.2 | FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The … | Apr 24, 2026 |
| CVE-2026-33318 | HIGH | 8.8 | Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from … | Apr 24, 2026 |
| CVE-2026-33317 | HIGH | 8.7 | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In … | Apr 24, 2026 |
| CVE-2026-33208 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in … | Apr 24, 2026 |
| CVE-2026-33078 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save … | Apr 24, 2026 |
| CVE-2026-33077 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has … | Apr 24, 2026 |
| CVE-2026-33076 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could … | Apr 24, 2026 |
| CVE-2026-32952 | MEDIUM | 5.3 | go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out … | Apr 24, 2026 |
| CVE-2026-41325 | UNKNOWN | — | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the … | Apr 24, 2026 |
| CVE-2026-40099 | UNKNOWN | — | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the … | Apr 24, 2026 |
| CVE-2026-34587 | UNKNOWN | — | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific … | Apr 24, 2026 |
| CVE-2026-32870 | UNKNOWN | — | Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, … | Apr 24, 2026 |
| CVE-2026-31956 | MEDIUM | 4.3 | Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated … | Apr 24, 2026 |