Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13055
Total
867
Critical
3775
High
4128
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-32932 | MEDIUM | 4.7 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker … | Apr 10, 2026 |
| CVE-2026-32931 | HIGH | 7.5 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an … | Apr 10, 2026 |
| CVE-2026-32930 | HIGH | 7.1 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page … | Apr 10, 2026 |
| CVE-2026-32894 | HIGH | 7.1 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page … | Apr 10, 2026 |
| CVE-2026-32893 | MEDIUM | 5.4 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an … | Apr 10, 2026 |
| CVE-2026-32892 | CRITICAL | 9.1 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. … | Apr 10, 2026 |
| CVE-2026-31941 | HIGH | 7.7 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall … | Apr 10, 2026 |
| CVE-2026-31940 | HIGH | 7.5 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session … | Apr 10, 2026 |
| CVE-2026-31939 | HIGH | 8.3 | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from … | Apr 10, 2026 |
| CVE-2026-1502 | UNKNOWN | — | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | Apr 10, 2026 |
| CVE-2025-66447 | NONE | — | Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to … | Apr 10, 2026 |
| CVE-2026-40200 | HIGH | 8.1 | An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented … | Apr 10, 2026 |
| CVE-2026-40160 | UNKNOWN | — | PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. … | Apr 10, 2026 |
| CVE-2026-40159 | MEDIUM | 5.5 | PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings … | Apr 10, 2026 |
| CVE-2026-40158 | HIGH | 8.6 | PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running … | Apr 10, 2026 |
| CVE-2026-40157 | UNKNOWN | — | PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member … | Apr 10, 2026 |
| CVE-2026-40156 | HIGH | 7.8 | PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register … | Apr 10, 2026 |
| CVE-2026-40103 | MEDIUM | 4.3 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token … | Apr 10, 2026 |
| CVE-2026-40100 | MEDIUM | 5.3 | FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only … | Apr 10, 2026 |
| CVE-2026-40097 | LOW | 3.7 | Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index … | Apr 10, 2026 |
| CVE-2026-40086 | MEDIUM | 5.3 | Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server allows unauthenticated remote attackers to … | Apr 10, 2026 |
| CVE-2026-40074 | UNKNOWN | — | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook … | Apr 10, 2026 |
| CVE-2026-40073 | UNKNOWN | — | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on … | Apr 10, 2026 |
| CVE-2026-35670 | MEDIUM | 5.9 | OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead … | Apr 10, 2026 |
| CVE-2026-35669 | HIGH | 8.8 | OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can … | Apr 10, 2026 |