Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13240
Total
877
Critical
3855
High
4195
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34578 | HIGH | 8.2 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search … | Apr 09, 2026 |
| CVE-2025-70811 | UNKNOWN | — | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | Apr 09, 2026 |
| CVE-2025-70810 | UNKNOWN | — | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | Apr 09, 2026 |
| CVE-2025-62718 | UNKNOWN | — | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY … | Apr 09, 2026 |
| CVE-2025-50228 | UNKNOWN | — | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | Apr 09, 2026 |
| CVE-2026-4660 | HIGH | 7.5 | HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This … | Apr 09, 2026 |
| CVE-2025-45806 | MEDIUM | 6.1 | A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | Apr 09, 2026 |
| CVE-2026-3005 | MEDIUM | 6.4 | The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, … | Apr 09, 2026 |
| CVE-2026-2519 | MEDIUM | 5.3 | The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up … | Apr 09, 2026 |
| CVE-2026-24661 | LOW | 3.7 | Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion … | Apr 09, 2026 |
| CVE-2026-21388 | LOW | 3.7 | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion … | Apr 09, 2026 |
| CVE-2025-57735 | CRITICAL | 9.1 | When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case … | Apr 09, 2026 |
| CVE-2024-1490 | HIGH | 7.2 | An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are … | Apr 09, 2026 |
| CVE-2026-4901 | UNKNOWN | — | Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the … | Apr 09, 2026 |
| CVE-2026-34538 | MEDIUM | 6.5 | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as … | Apr 09, 2026 |
| CVE-2026-34185 | UNKNOWN | — | Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject … | Apr 09, 2026 |
| CVE-2026-34184 | UNKNOWN | — | Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute … | Apr 09, 2026 |
| CVE-2026-34179 | CRITICAL | 9.1 | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for … | Apr 09, 2026 |
| CVE-2026-34178 | CRITICAL | 9.1 | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, … | Apr 09, 2026 |
| CVE-2026-34177 | CRITICAL | 9.1 | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under … | Apr 09, 2026 |
| CVE-2025-62188 | HIGH | 7.5 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including … | Apr 09, 2026 |
| CVE-2026-5854 | CRITICAL | 9.8 | A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. … | Apr 09, 2026 |
| CVE-2026-5853 | CRITICAL | 9.8 | A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component … | Apr 09, 2026 |
| CVE-2026-5852 | CRITICAL | 9.8 | A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation … | Apr 09, 2026 |
| CVE-2026-5851 | CRITICAL | 9.8 | A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The … | Apr 09, 2026 |