Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12799
Total
856
Critical
3690
High
4021
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40288 | CRITICAL | 9.8 | PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and … | Apr 14, 2026 |
| CVE-2026-40287 | HIGH | 8.4 | PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from … | Apr 14, 2026 |
| CVE-2026-1607 | MEDIUM | 6.4 | The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and … | Apr 14, 2026 |
| CVE-2026-6264 | CRITICAL | 9.8 | A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the … | Apr 14, 2026 |
| CVE-2026-6227 | HIGH | 7.2 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, … | Apr 14, 2026 |
| CVE-2026-4388 | HIGH | 7.2 | The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions … | Apr 14, 2026 |
| CVE-2026-34984 | UNKNOWN | — | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in … | Apr 14, 2026 |
| CVE-2026-4365 | CRITICAL | 9.1 | The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up … | Apr 14, 2026 |
| CVE-2026-4352 | HIGH | 7.5 | The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, … | Apr 14, 2026 |
| CVE-2026-39426 | UNKNOWN | — | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses … | Apr 14, 2026 |
| CVE-2026-39425 | UNKNOWN | — | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject … | Apr 14, 2026 |
| CVE-2026-39419 | LOW | 3.1 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution … | Apr 14, 2026 |
| CVE-2026-34225 | MEDIUM | 4.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in … | Apr 14, 2026 |
| CVE-2026-39424 | UNKNOWN | — | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements … | Apr 14, 2026 |
| CVE-2026-39423 | UNKNOWN | — | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any … | Apr 14, 2026 |
| CVE-2026-39422 | UNKNOWN | — | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon … | Apr 14, 2026 |
| CVE-2026-39421 | MEDIUM | 6.3 | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes … | Apr 14, 2026 |
| CVE-2026-39420 | MEDIUM | 6.3 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution … | Apr 14, 2026 |
| CVE-2026-39418 | MEDIUM | 5.0 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN … | Apr 14, 2026 |
| CVE-2026-34264 | MEDIUM | 6.5 | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges … | Apr 14, 2026 |
| CVE-2026-34262 | MEDIUM | 5.0 | Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer | Apr 14, 2026 |
| CVE-2026-34261 | MEDIUM | 6.5 | Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function … | Apr 14, 2026 |
| CVE-2026-34257 | MEDIUM | 6.1 | Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, … | Apr 14, 2026 |
| CVE-2026-34256 | HIGH | 7.1 | Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report … | Apr 14, 2026 |
| CVE-2026-40164 | HIGH | 7.5 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table … | Apr 14, 2026 |