Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12651
Total
850
Critical
3653
High
3967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-33877 | LOW | 3.7 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows … | Apr 15, 2026 |
| CVE-2026-21727 | LOW | 3.3 | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana … | Apr 15, 2026 |
| CVE-2026-21726 | MEDIUM | 5.3 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at … | Apr 15, 2026 |
| CVE-2025-41118 | CRITICAL | 9.1 | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to … | Apr 15, 2026 |
| CVE-2026-6383 | MEDIUM | 5.4 | A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This … | Apr 15, 2026 |
| CVE-2026-6245 | MEDIUM | 5.5 | A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes … | Apr 15, 2026 |
| CVE-2026-5189 | UNKNOWN | — | CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write … | Apr 15, 2026 |
| CVE-2026-4857 | HIGH | 8.4 | IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned … | Apr 15, 2026 |
| CVE-2026-40256 | MEDIUM | 5.0 | Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple … | Apr 15, 2026 |
| CVE-2026-39845 | MEDIUM | 4.1 | Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been … | Apr 15, 2026 |
| CVE-2026-34632 | HIGH | 8.2 | Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the … | Apr 15, 2026 |
| CVE-2026-34393 | HIGH | 8.8 | Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This … | Apr 15, 2026 |
| CVE-2026-34244 | MEDIUM | 5.0 | Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can … | Apr 15, 2026 |
| CVE-2026-34242 | HIGH | 7.7 | Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the … | Apr 15, 2026 |
| CVE-2026-33667 | HIGH | 7.4 | OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no … | Apr 15, 2026 |
| CVE-2026-33440 | MEDIUM | 5.0 | Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict … | Apr 15, 2026 |
| CVE-2026-33435 | HIGH | 8.0 | Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead … | Apr 15, 2026 |
| CVE-2026-33220 | MEDIUM | 6.8 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper … | Apr 15, 2026 |
| CVE-2026-6290 | HIGH | 8.0 | Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This … | Apr 15, 2026 |
| CVE-2026-5758 | MEDIUM | 6.5 | JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS … | Apr 15, 2026 |
| CVE-2026-33214 | MEDIUM | 4.3 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper … | Apr 15, 2026 |
| CVE-2026-33212 | LOW | 3.1 | Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose … | Apr 15, 2026 |
| CVE-2026-32631 | HIGH | 7.4 | Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM … | Apr 15, 2026 |
| CVE-2026-30993 | CRITICAL | 9.8 | Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable … | Apr 15, 2026 |
| CVE-2026-6372 | HIGH | 7.5 | Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a … | Apr 15, 2026 |