Security

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

12604

Total

849

Critical

3630

High

3947

Medium

CVE ID	Severity	Score	Description	Published
CVE-2026-40937	HIGH	8.3	RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` …	Apr 22, 2026
CVE-2026-40882	HIGH	7.6	OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user …	Apr 22, 2026
CVE-2026-3837	UNKNOWN	—	An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. …	Apr 22, 2026
CVE-2026-34068	MEDIUM	6.8	nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` …	Apr 22, 2026
CVE-2026-34067	LOW	3.1	nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != …	Apr 22, 2026
CVE-2026-33733	HIGH	7.2	EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and …	Apr 22, 2026
CVE-2026-33656	CRITICAL	9.1	EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an …	Apr 22, 2026
CVE-2026-6019	UNKNOWN	—	http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the …	Apr 22, 2026
CVE-2026-3673	UNKNOWN	—	An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are …	Apr 22, 2026
CVE-2026-34066	MEDIUM	5.3	nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within …	Apr 22, 2026
CVE-2026-34065	HIGH	7.5	nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a …	Apr 22, 2026
CVE-2026-34064	MEDIUM	5.3	nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs …	Apr 22, 2026
CVE-2026-34063	HIGH	7.5	Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes …	Apr 22, 2026
CVE-2026-34062	MEDIUM	5.3	nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer …	Apr 22, 2026
CVE-2026-33471	CRITICAL	9.6	nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each …	Apr 22, 2026
CVE-2026-41469	MEDIUM	5.2	Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template …	Apr 22, 2026
CVE-2026-41468	HIGH	8.7	Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these …	Apr 22, 2026
CVE-2026-41459	MEDIUM	5.3	Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the …	Apr 22, 2026
CVE-2026-34415	CRITICAL	9.8	Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 …	Apr 22, 2026
CVE-2026-34414	HIGH	7.1	Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in …	Apr 22, 2026
CVE-2026-34413	HIGH	8.6	Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated …	Apr 22, 2026
CVE-2026-28950	UNKNOWN	—	A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications …	Apr 22, 2026
CVE-2026-26354	HIGH	8.1	Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release …	Apr 22, 2026
CVE-2026-6515	MEDIUM	5.4	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have …	Apr 22, 2026
CVE-2026-5816	HIGH	8.0	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated …	Apr 22, 2026

« Prev 292 293 294 295 296 Next »