Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12628
Total
849
Critical
3640
High
3960
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40865 | UNKNOWN | — | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows … | Apr 21, 2026 |
| CVE-2026-40614 | UNKNOWN | — | PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus … | Apr 21, 2026 |
| CVE-2026-40613 | HIGH | 7.5 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer … | Apr 21, 2026 |
| CVE-2026-22751 | MEDIUM | 4.8 | Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue … | Apr 21, 2026 |
| CVE-2026-41194 | MEDIUM | 5.4 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It … | Apr 21, 2026 |
| CVE-2026-41193 | CRITICAL | 9.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, … | Apr 21, 2026 |
| CVE-2026-41192 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any … | Apr 21, 2026 |
| CVE-2026-40611 | HIGH | 8.8 | Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file … | Apr 21, 2026 |
| CVE-2026-40608 | MEDIUM | 6.2 | Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST … | Apr 21, 2026 |
| CVE-2026-40606 | MEDIUM | 4.8 | mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 … | Apr 21, 2026 |
| CVE-2026-40604 | UNKNOWN | — | ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can … | Apr 21, 2026 |
| CVE-2026-40602 | MEDIUM | 5.6 | The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle … | Apr 21, 2026 |
| CVE-2026-40599 | UNKNOWN | — | ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID … | Apr 21, 2026 |
| CVE-2026-40594 | MEDIUM | 4.8 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from … | Apr 21, 2026 |
| CVE-2026-40588 | HIGH | 8.1 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and … | Apr 21, 2026 |
| CVE-2026-40587 | MEDIUM | 6.5 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when … | Apr 21, 2026 |
| CVE-2026-6743 | LOW | 3.5 | A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. … | Apr 21, 2026 |
| CVE-2026-5652 | CRITICAL | 9.0 | An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via … | Apr 21, 2026 |
| CVE-2026-41191 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only … | Apr 21, 2026 |
| CVE-2026-41190 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who … | Apr 21, 2026 |
| CVE-2026-41189 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but … | Apr 21, 2026 |
| CVE-2026-41183 | MEDIUM | 4.3 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder … | Apr 21, 2026 |
| CVE-2026-40592 | MEDIUM | 5.9 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user … | Apr 21, 2026 |
| CVE-2026-40591 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` … | Apr 21, 2026 |
| CVE-2026-40590 | MEDIUM | 4.3 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow … | Apr 21, 2026 |