Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12628
Total
849
Critical
3640
High
3960
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40589 | HIGH | 7.6 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an … | Apr 21, 2026 |
| CVE-2026-40586 | HIGH | 7.5 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts … | Apr 21, 2026 |
| CVE-2026-40585 | HIGH | 7.4 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and … | Apr 21, 2026 |
| CVE-2026-40584 | UNKNOWN | — | RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters … | Apr 21, 2026 |
| CVE-2026-40583 | UNKNOWN | — | UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and … | Apr 21, 2026 |
| CVE-2026-40576 | CRITICAL | 9.4 | excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When … | Apr 21, 2026 |
| CVE-2026-40574 | MEDIUM | 6.8 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of … | Apr 21, 2026 |
| CVE-2026-40570 | UNKNOWN | — | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data … | Apr 21, 2026 |
| CVE-2026-40569 | CRITICAL | 9.0 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints … | Apr 21, 2026 |
| CVE-2026-40568 | HIGH | 8.5 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature … | Apr 21, 2026 |
| CVE-2026-40567 | MEDIUM | 5.8 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated … | Apr 21, 2026 |
| CVE-2026-40566 | MEDIUM | 4.1 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection … | Apr 21, 2026 |
| CVE-2026-40279 | LOW | 3.7 | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer … | Apr 21, 2026 |
| CVE-2026-40161 | HIGH | 7.7 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured … | Apr 21, 2026 |
| CVE-2026-40050 | CRITICAL | 9.8 | CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host … | Apr 21, 2026 |
| CVE-2026-38835 | CRITICAL | 9.8 | Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to … | Apr 21, 2026 |
| CVE-2026-38834 | HIGH | 7.3 | Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to … | Apr 21, 2026 |
| CVE-2026-35451 | MEDIUM | 5.7 | Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack … | Apr 21, 2026 |
| CVE-2026-30452 | MEDIUM | 6.5 | Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned … | Apr 21, 2026 |
| CVE-2026-29179 | LOW | 3.3 | October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were … | Apr 21, 2026 |
| CVE-2026-27937 | LOW | 3.1 | October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the … | Apr 21, 2026 |
| CVE-2026-26274 | MEDIUM | 6.6 | October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy … | Apr 21, 2026 |
| CVE-2026-26067 | MEDIUM | 4.9 | October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling … | Apr 21, 2026 |
| CVE-2026-25542 | MEDIUM | 6.5 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against … | Apr 21, 2026 |
| CVE-2026-24189 | HIGH | 8.2 | NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful … | Apr 21, 2026 |